From: Ivan Gyurdiev <gyurdiev@redhat.com>
To: Joshua Brindle <jbrindle@tresys.com>
Cc: Daniel J Walsh <dwalsh@redhat.com>,
Karl MacMillan <kmacmillan@tresys.com>,
selinux@tycho.nsa.gov
Subject: Iptables discussion
Date: Fri, 22 Jul 2005 07:53:26 -0400 [thread overview]
Message-ID: <1122033206.19625.7.camel@localhost.localdomain> (raw)
In-Reply-To: <42E0310B.5070404@tresys.com>
On Thu, 2005-07-21 at 19:34 -0400, Joshua Brindle wrote:
> Ivan Gyurdiev wrote:
>
> >>I don't think thats such a great idea. Really alot of the meat of the
> >>define_* functions has already moved to declare_symbol. The stuff that
> >>is remaining is really parser specific such as handling where things can
> >>be declared, handling multiple declarations, etc. It serves no purpose
> >>to generalize this code as it really is about how to parse the policy
> >>and not how to build up these structures.
> >>
> >>
> >
> >How can I add te_avtab rules to policy at the moment, without
> >using checkpolicy?
> >
> >
> All the te_avtab code has been removed from checkpolicy for the modules.
> In fact, aside from checking type transition conflicts, checkpolicy
> doesn't add any rules at all to the avtab, this is done at expand time.
>
> further, avtab_insert, avtab_search, etc have always been in libsepol,
> in avtab.c
static avtab_ptr_t
avtab_insert_node(avtab_t *h, int hvalue, avtab_ptr_t prev,
avtab_key_t *key, avtab_datum_t *datum)
This is not the high level API that I am looking for.
A caller of this function would not know, or care, what prev is,
or what the format of a datum is, or what table this would go into.
------
Let me get to the point - we have iptables, which configures netfilter.
Then we have policy, which configures selinux. That's two configuration
systems, and having two configuration systems is not good - you have to
go change both to get anything to work. Furthermore, iptables has
a superior configuration system from a user's point of view, because
it's easier to work with than writing policy in m4 macros.
So, what do we do about that? Dan is suggesting we might integrate
iptables with policy, and have it automatically generate some rules,
pertaining to interfaces, ports, etc... we can now query sepol
for the port label, and query sepol for the interface label.
I'm not sure how this should be done, or whether this should be done,
but it merits further discussion. Should modules play a role into
this...is it a good idea...etc.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-07-22 11:56 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-21 17:40 [ libsepol 2/6] Ports Ivan Gyurdiev
2005-07-21 18:04 ` Joshua Brindle
2005-07-21 18:06 ` Ivan Gyurdiev
2005-07-21 18:27 ` Ivan Gyurdiev
2005-07-21 19:35 ` Karl MacMillan
2005-07-21 19:38 ` Ivan Gyurdiev
2005-07-21 20:30 ` Karl MacMillan
2005-07-21 20:47 ` Ivan Gyurdiev
2005-07-21 21:06 ` Joshua Brindle
2005-07-21 21:06 ` Ivan Gyurdiev
2005-07-21 21:15 ` Joshua Brindle
2005-07-21 21:25 ` Ivan Gyurdiev
2005-07-21 23:34 ` Joshua Brindle
2005-07-22 11:53 ` Ivan Gyurdiev [this message]
2005-07-22 12:31 ` Iptables discussion Daniel J Walsh
2005-07-22 12:46 ` Karl MacMillan
2005-07-22 13:44 ` Ivan Gyurdiev
2005-07-22 14:19 ` Karl MacMillan
2005-07-22 14:24 ` Ivan Gyurdiev
2005-07-22 15:28 ` Karl MacMillan
2005-07-22 18:18 ` Ivan Gyurdiev
2005-07-22 18:40 ` Karl MacMillan
2005-07-22 19:01 ` Ivan Gyurdiev
2005-07-22 14:42 ` Daniel J Walsh
2005-07-22 15:28 ` Karl MacMillan
2005-07-22 14:51 ` Joshua Brindle
2005-07-22 14:51 ` Joshua Brindle
2005-07-22 15:39 ` Ivan Gyurdiev
2005-07-22 15:57 ` Karl MacMillan
2005-07-22 16:14 ` Ivan Gyurdiev
2005-07-22 16:31 ` Karl MacMillan
2005-07-22 17:59 ` Ivan Gyurdiev
2005-07-22 16:28 ` Ivan Gyurdiev
2005-07-22 17:28 ` Jason Tang
2005-07-22 17:54 ` Ivan Gyurdiev
2005-07-22 18:28 ` Jason Tang
2005-07-22 18:32 ` Ivan Gyurdiev
2005-07-22 19:19 ` Joshua Brindle
2005-07-22 19:44 ` Ivan Gyurdiev
2005-07-22 19:56 ` Joshua Brindle
2005-07-22 20:18 ` Ivan Gyurdiev
2005-07-22 20:56 ` Ivan Gyurdiev
2005-07-22 15:46 ` Casey Schaufler
2005-07-22 15:54 ` Joshua Brindle
2005-07-22 16:11 ` Frank Mayer
2005-07-22 18:56 ` Casey Schaufler
2005-07-24 5:25 ` James Morris
2005-07-24 15:28 ` Casey Schaufler
2005-07-25 4:24 ` James Morris
2005-07-25 15:37 ` Daniel J Walsh
2005-07-25 18:24 ` Christopher J. PeBenito
2005-07-25 18:28 ` Ivan Gyurdiev
2005-07-25 18:43 ` Ivan Gyurdiev
2005-07-25 18:55 ` Daniel J Walsh
2005-07-25 19:01 ` Joshua Brindle
2005-07-25 19:53 ` Ivan Gyurdiev
2005-07-25 22:42 ` Joshua Brindle
2005-07-26 0:07 ` Ivan Gyurdiev
2005-07-26 0:13 ` Joshua Brindle
2005-07-22 12:37 ` Karl MacMillan
-- strict thread matches above, loose matches on Subject: below --
2005-07-22 14:54 Chad Hanson
2005-07-24 5:08 ` James Morris
2005-07-25 21:00 Chad Hanson
2005-07-25 21:04 Chad Hanson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1122033206.19625.7.camel@localhost.localdomain \
--to=gyurdiev@redhat.com \
--cc=dwalsh@redhat.com \
--cc=jbrindle@tresys.com \
--cc=kmacmillan@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.