summaryrefslogtreecommitdiff
path: root/Documentation/security
diff options
context:
space:
mode:
authorRichard Haines <richard_c_haines@btinternet.com>2018-03-19 20:33:36 +0300
committerPaul Moore <paul@paul-moore.com>2018-03-20 23:26:15 +0300
commitd3cc2cd7c8d7adfb43075036878e319d5893280d (patch)
treed32051445aa3bb3692760e35a54d8d2e5be7ba74 /Documentation/security
parent68741a8adab900fafb407532e6bae0887f14fbe0 (diff)
downloadlinux-d3cc2cd7c8d7adfb43075036878e319d5893280d.tar.xz
selinux: Update SELinux SCTP documentation
Update SELinux-sctp.rst "SCTP Peer Labeling" section to reflect how the association permission is validated. Reported-by: Dominick Grift <dac.override@gmail.com> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'Documentation/security')
-rw-r--r--Documentation/security/SELinux-sctp.rst11
1 files changed, 6 insertions, 5 deletions
diff --git a/Documentation/security/SELinux-sctp.rst b/Documentation/security/SELinux-sctp.rst
index 2f66bf30658a..a332cb1c5334 100644
--- a/Documentation/security/SELinux-sctp.rst
+++ b/Documentation/security/SELinux-sctp.rst
@@ -116,11 +116,12 @@ statement as shown in the following example::
SCTP Peer Labeling
===================
An SCTP socket will only have one peer label assigned to it. This will be
-assigned during the establishment of the first association. Once the peer
-label has been assigned, any new associations will have the ``association``
-permission validated by checking the socket peer sid against the received
-packets peer sid to determine whether the association should be allowed or
-denied.
+assigned during the establishment of the first association. Any further
+associations on this socket will have their packet peer label compared to
+the sockets peer label, and only if they are different will the
+``association`` permission be validated. This is validated by checking the
+socket peer sid against the received packets peer sid to determine whether
+the association should be allowed or denied.
NOTES:
1) If peer labeling is not enabled, then the peer context will always be