* can_network()
@ 2002-11-04 12:27 Russell Coker
2002-11-04 14:32 ` can_network() Tom
0 siblings, 1 reply; 4+ messages in thread
From: Russell Coker @ 2002-11-04 12:27 UTC (permalink / raw)
To: selinux
It's difficult to imagine a program that needs can_network() access but which
does not need to read /etc/resolv.conf.
Currently every time we write policy for such programs we have separate config
lines for resolv_conf_t and can_network. This makes policy files longer and
more difficult to read, and when requirements change and entries are to be
removed from a policy file then it's more likely that something will be
missed.
I think that we should either include a statement granting access to
resolv_conf_t in the can_network() macro, or we should have a separate macro
which calls can_network() and also grants access to resolv_conf_t.
I also suspect that access to etc_t files will be necessary for such a macro
too, but in the few minutes I've been thinking about this I haven't
determined a suitable case to prove this.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: can_network()
2002-11-04 12:27 can_network() Russell Coker
@ 2002-11-04 14:32 ` Tom
0 siblings, 0 replies; 4+ messages in thread
From: Tom @ 2002-11-04 14:32 UTC (permalink / raw)
To: selinux
On Mon, Nov 04, 2002 at 01:27:26PM +0100, Russell Coker wrote:
> It's difficult to imagine a program that needs can_network() access but which
> does not need to read /etc/resolv.conf.
speaking of that, shouldn't there be an every_domain_except_network
domain? I'd love to use every_domain instead of all the lower macros,
but it includes can_network(), which I don't want.
--
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub 1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: can_network()
@ 2002-11-07 20:05 Stephen D. Smalley
2002-11-07 21:48 ` can_network() Russell Coker
0 siblings, 1 reply; 4+ messages in thread
From: Stephen D. Smalley @ 2002-11-07 20:05 UTC (permalink / raw)
To: selinux, tom
> speaking of that, shouldn't there be an every_domain_except_network
> domain? I'd love to use every_domain instead of all the lower macros,
> but it includes can_network(), which I don't want.
The goal is to largely eliminate the use of coarse-grained macros like
every_domain() [and even its immediate "children"], replacing them with
much finer-grained macros and/or individual rules to provide true least
privilege. Naturally, this will have a cost in terms of maintaining the
policy.
--
Stephen Smalley, NSA
sds@epoch.ncsc.mil
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: can_network()
2002-11-07 20:05 can_network() Stephen D. Smalley
@ 2002-11-07 21:48 ` Russell Coker
0 siblings, 0 replies; 4+ messages in thread
From: Russell Coker @ 2002-11-07 21:48 UTC (permalink / raw)
To: Stephen D. Smalley, selinux
On Thu, 7 Nov 2002 21:05, Stephen D. Smalley wrote:
> > speaking of that, shouldn't there be an every_domain_except_network
> > domain? I'd love to use every_domain instead of all the lower macros,
> > but it includes can_network(), which I don't want.
>
> The goal is to largely eliminate the use of coarse-grained macros like
> every_domain() [and even its immediate "children"], replacing them with
> much finer-grained macros and/or individual rules to provide true least
> privilege. Naturally, this will have a cost in terms of maintaining the
> policy.
So do you think that can_network() needs to be broken up?
I guess this means you don't like my idea for adding an allow resolv_conf_t to
it then...
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2002-11-07 21:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-11-04 12:27 can_network() Russell Coker
2002-11-04 14:32 ` can_network() Tom
-- strict thread matches above, loose matches on Subject: below --
2002-11-07 20:05 can_network() Stephen D. Smalley
2002-11-07 21:48 ` can_network() Russell Coker
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.