can_tcp_connect_to() macro

can_tcp_connect_to() macro

[Russell Coker]

What do you think about the following?

#################################
#
# can_tcp_connect_to(client, server)
#
# Permissions for establishing a TCP connection TO a domain.
#
define(`can_tcp_connect_to',`
allow $1 $2:tcp_socket connectto;
allow $2 $1:tcp_socket recvfrom;
')

-- 
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_tcp_connect_to() macro

[Tom]

On Sun, May 26, 2002 at 11:59:25AM +0200, Russell Coker wrote:
> What do you think about the following?

yes, please! also, a restriction on target ports may be very, very
useful (e.g. "this user can surf the web or use telnet, but can't
telnet to arbitrary ports")


-- 
New GPG Key issued (old key expired):
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_tcp_connect_to() macro

[Russell Coker]

On Sun, 26 May 2002 12:36, Tom wrote:
> On Sun, May 26, 2002 at 11:59:25AM +0200, Russell Coker wrote:
> > What do you think about the following?
>
> yes, please! also, a restriction on target ports may be very, very
> useful (e.g. "this user can surf the web or use telnet, but can't
> telnet to arbitrary ports")

The only thing my suggested new macro offers over the current 
can_tcp_connect() macro is that the connections are uni-directional.

For example I want to allow all users to connect to Squid, but I don't want 
to allow Squid to connect to them!

So you can currently limit what ports your user connects to, as long as you 
are happy for the owners of those domains to connect to your user.

-- 
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_tcp_connect_to() macro

[Stephen Smalley]

On Sun, 26 May 2002, Russell Coker wrote:

> What do you think about the following?
>
> #################################
> #
> # can_tcp_connect_to(client, server)
> #
> # Permissions for establishing a TCP connection TO a domain.
> #
> define(`can_tcp_connect_to',`
> allow $1 $2:tcp_socket connectto;
> allow $2 $1:tcp_socket recvfrom;
> ')

I don't understand the purpose of this macro.  It is insufficient to
authorize a TCP connection, and can_tcp_connect is already defined to
authorize a (one-way) connection between a client and a server.  The
connectto/acceptfrom permissions handle the unidirectional nature of the
connection.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.