From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: RE: Denials from newest kernel From: "Christopher J. PeBenito" To: vyekkirala@TrustedCS.com Cc: "'Karl MacMillan'" , "'Joshua Brindle'" , selinux@tycho.nsa.gov, sds@tycho.nsa.gov In-Reply-To: <001601c6ef11$dccb6ec0$cc0a010a@tcssec.com> References: <001601c6ef11$dccb6ec0$cc0a010a@tcssec.com> Content-Type: text/plain Date: Mon, 16 Oct 2006 08:31:30 -0400 Message-Id: <1161001890.5980.173.camel@sgc> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Fri, 2006-10-13 at 16:52 -0500, Venkat Yekkirala wrote: > > > > 5. can the packet flow into the ipsec association? > > Without 5, we can't restrict the association traffic to just > > http_client_packet_t, so mozilla_t can't be denied sending/receiving > > dns_client_packets_t over the httpd_t association. > > You can restrict it, but by way of the policy in the SPD, where you > can use selectors such as ipaddr, port, protocol, etc. (see setkey(8)). > > The "security points" have nothing to do with ipsec associations. This is not sufficient because it encodes the access control policy into the SPD, instead of putting the policy in the SELinux policy. Putting it in the SPD can't be analyzed when you do a policy analysis. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.