From: "Christopher J. PeBenito" <cpebenito@tresys.com>
To: vyekkirala@TrustedCS.com
Cc: sds@tycho.nsa.gov, selinux@tycho.nsa.gov, latten@austin.ibm.com,
hallyn@elg11.watson.ibm.com,
"'Trent Jaeger'" <tjaeger@cse.psu.edu>
Subject: RE: Question on checks against unlabeled
Date: Wed, 01 Nov 2006 09:48:58 -0500 [thread overview]
Message-ID: <1162392538.31675.162.camel@sgc> (raw)
In-Reply-To: <000101c6fcff$498e9960$cc0a010a@tcssec.com>
On Tue, 2006-10-31 at 09:14 -0600, Venkat Yekkirala wrote:
> Hi Chris,
>
> I am looking for some input :) from your (policywriter's) end on the
> following:
>
> I have code that now "selects" a labeled association that has the same label
> as the socket, when the socket "polmatches" a "labeled" SPD rule.
>
> There's also the following check in the kernel currently:
> allow socket_t unlabeled_t:association { sendto }
>
> The intent as explained below by Trent is to make sure a socket can
> "use" an "non-labeled" association in the following cases:
>
> a. socket matches a "non-labeled" SPD rule and hence is using a non-labeled
> IPSec SA.
>
> b. no IPSec SA being used by the socket.
>
>
> We have the following choices:
>
> 1. We retain the sendto check against unlabeled_t in the above scenarios (a
> and b).
>
> 2. We restrict the sendto check only to scenario "a" where we in fact have
> an
> association (albeit a "non-labeled" SA).
>
> 3. We eliminate the sendto check for both the scenarios.
>
> 4. We retain the check for both, but for consistency we also do the
> following
> check after we "select" a labeled SA.
>
> allow socket_t self:association { sendto };
>
> IOW, your policy will always need to have one of the following:
> allow socket_t self:association { sendto } where a "labeled" SA can be
> used.
> allow socket_t unlabeled_t:association { sendto } where an "non-labeled"
> SA or no SA at all is permitted for the socket.
>
> What's your preference?
I would say 4. In my response to James (SELinux Networking Enhancements
thread) that I sent a little earlier, I had what I would consider to be
an ideal policy.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2006-11-01 14:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-30 20:40 Question on checks against unlabeled Venkat Yekkirala
2006-10-30 20:58 ` Trent Jaeger
2006-10-31 15:14 ` Venkat Yekkirala
2006-11-01 14:48 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1162392538.31675.162.camel@sgc \
--to=cpebenito@tresys.com \
--cc=hallyn@elg11.watson.ibm.com \
--cc=latten@austin.ibm.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=tjaeger@cse.psu.edu \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.