From: "Christopher J. PeBenito" <cpebenito@tresys.com>
To: vyekkirala@TrustedCS.com
Cc: "'Karl MacMillan'" <kmacmillan@mentalrootkit.com>,
"'Joshua Brindle'" <jbrindle@tresys.com>,
selinux@tycho.nsa.gov, sds@tycho.nsa.gov
Subject: RE: Denials from newest kernel
Date: Mon, 16 Oct 2006 13:26:21 -0400 [thread overview]
Message-ID: <1161019581.26428.18.camel@sgc> (raw)
In-Reply-To: <000201c6f12d$9c979540$cc0a010a@tcssec.com>
On Mon, 2006-10-16 at 09:16 -0500, Venkat Yekkirala wrote:
> > > > > > > > 5. can the packet flow into the ipsec association?
> > > >
> > > > > > Without 5, we can't restrict the association traffic to just
> > > > > > http_client_packet_t, so mozilla_t can't be denied
> > > > sending/receiving
> > > > > > dns_client_packets_t over the httpd_t association.
> > > > >
> > > > > You can restrict it, but by way of the policy in the
> > SPD, where you
> > > > > can use selectors such as ipaddr, port, protocol, etc. (see
> > > > setkey(8)).
> > > > >
> > > > > The "security points" have nothing to do with ipsec
> > associations.
> > > >
> > > > This is not sufficient because it encodes the access control
> > > > policy into
> > > > the SPD,
> > >
> > > No it doesn't. You are ONLY labeling the rules in the SPD.
> > Enforcement
> > > is still via SELinux policy where you would have rules like:
> > >
> > > allow apache_t httpd_ipsec_t:association { polmatch };
> > >
> > > > instead of putting the policy in the SELinux policy. Putting
> > > > it in the SPD can't be analyzed when you do a policy analysis.
> > >
> > > Agreed and that's not what's happening. IOW, you are only labeling
> > > the rules in the SPD leveraging the SPD syntax, but enforcement is
> > > still via SELinux policy.
> >
> > No, that is what is happening. You can't tell from looking at the
> > SELinux policy that only http_server_packet_t can go on the
> > httpd_ipsec_t association, you would have to look at the SPD.
>
> You CAN, if you labeled your SPD rules properly, just like how you
> have to ensure you labeled your files and secmark rules correctly.
> What's the difference?
The above rule clearly shows a relationship between a domain(socket?)
and a SPD entry. It does not show a relationship between a packet and
an association.
When analyzing policy, the labeling is ignored until the very end where
you verify that the labeling fits the policy. If you don't know what
is in the SPD, you can not know which packets can go over the
association by looking at the above rule.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2006-10-16 17:26 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-10 14:42 Denials from newest kernel Venkat Yekkirala
2006-10-10 18:33 ` Christopher J. PeBenito
2006-10-10 19:15 ` Venkat Yekkirala
2006-10-10 19:35 ` Karl MacMillan
2006-10-10 19:56 ` Venkat Yekkirala
2006-10-12 18:51 ` Christopher J. PeBenito
2006-10-12 20:06 ` Venkat Yekkirala
2006-10-13 15:06 ` Christopher J. PeBenito
2006-10-13 21:52 ` Venkat Yekkirala
2006-10-16 12:31 ` Christopher J. PeBenito
2006-10-16 13:45 ` Venkat Yekkirala
2006-10-16 13:53 ` Christopher J. PeBenito
2006-10-16 14:16 ` Venkat Yekkirala
2006-10-16 17:26 ` Christopher J. PeBenito [this message]
2006-10-16 18:29 ` Venkat Yekkirala
2006-10-16 18:53 ` Paul Moore
2006-10-17 13:56 ` Christopher J. PeBenito
2006-10-17 17:58 ` Darrel Goeddel
2006-10-17 18:22 ` Christopher J. PeBenito
2006-10-17 19:23 ` Darrel Goeddel
2006-10-18 13:45 ` Christopher J. PeBenito
2006-10-19 15:57 ` Venkat Yekkirala
2006-10-20 12:41 ` Christopher J. PeBenito
2006-10-23 17:42 ` Venkat Yekkirala
2006-10-24 0:44 ` Christopher J. PeBenito
2006-10-13 22:42 ` Paul Moore
2006-10-14 1:00 ` Venkat Yekkirala
2006-10-14 12:13 ` Paul Moore
2006-10-14 19:50 ` Venkat Yekkirala
2006-10-14 20:41 ` Paul Moore
2006-10-14 20:58 ` James Morris
2006-10-14 23:01 ` Venkat Yekkirala
2006-10-16 13:16 ` Christopher J. PeBenito
2006-10-16 14:11 ` Venkat Yekkirala
2006-10-14 7:36 ` James Morris
2006-10-14 12:18 ` Paul Moore
2006-10-14 20:10 ` Venkat Yekkirala
2006-10-10 20:05 ` Christopher J. PeBenito
2006-10-11 14:04 ` Venkat Yekkirala
2006-10-12 7:19 ` James Morris
-- strict thread matches above, loose matches on Subject: below --
2006-10-10 16:28 Venkat Yekkirala
2006-10-10 15:45 Venkat Yekkirala
2006-10-10 14:18 Venkat Yekkirala
2006-10-10 14:42 ` Christopher J. PeBenito
2006-10-09 23:40 Venkat Yekkirala
2006-10-10 0:10 ` Joshua Brindle
2006-10-10 14:07 ` Christopher J. PeBenito
2006-10-10 15:55 ` Joshua Brindle
2006-10-06 21:34 Venkat Yekkirala
2006-10-06 21:17 Venkat Yekkirala
2006-10-09 14:03 ` Joshua Brindle
2006-10-06 21:15 Venkat Yekkirala
2006-10-06 21:31 ` Paul Moore
2006-10-06 20:05 Venkat Yekkirala
2006-10-06 19:43 Venkat Yekkirala
2006-10-06 15:11 Venkat Yekkirala
2006-10-06 15:17 ` Joshua Brindle
2006-10-06 16:25 ` Stephen Smalley
2006-10-06 15:21 ` Stephen Smalley
2006-10-06 15:44 ` Joshua Brindle
2006-10-06 15:56 ` Stephen Smalley
2006-10-06 16:59 ` Karl MacMillan
2006-10-06 18:31 ` Joshua Brindle
2006-10-06 19:04 ` Joshua Brindle
2006-10-06 14:23 Venkat Yekkirala
2006-10-06 14:50 ` Joshua Brindle
2006-10-06 13:45 Venkat Yekkirala
2006-10-06 13:55 ` Joshua Brindle
2006-10-06 14:39 ` Paul Moore
2006-10-06 13:31 Joshua Brindle
2006-10-06 17:32 ` James Morris
2006-10-06 18:41 ` Steve G
2006-10-06 19:50 ` James Morris
2006-10-06 19:56 ` Joshua Brindle
2006-10-06 20:13 ` Christopher J. PeBenito
2006-10-06 19:02 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1161019581.26428.18.camel@sgc \
--to=cpebenito@tresys.com \
--cc=jbrindle@tresys.com \
--cc=kmacmillan@mentalrootkit.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.