From: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
To: James Morris <jmorris@namei.org>
Cc: netdev@vger.kernel.org, "David S. Miller" <davem@davemloft.net>,
tgraf@suug.ch, Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: Refactor Netlink connector?
Date: Tue, 30 May 2006 23:09:06 +0400 [thread overview]
Message-ID: <20060530190906.GA3128@2ka.mipt.ru> (raw)
In-Reply-To: <Pine.LNX.4.64.0605301453360.28036@d.namei>
On Tue, May 30, 2006 at 02:58:11PM -0400, James Morris (jmorris@namei.org) wrote:
> > Apache still can setup routes using ioctl or execve("ip route add/route
> > add");
>
> Depends on the policy. You can specify which types of files/sockets
> apache can perform ioctl on, and whether it can execve 'ip', and if so,
> which security context that runs in, and then whether that security
> context can add routes.
With applications like phpmmyadmin apache must be allowed to perform such
operations no matter hacked it is or not...
> Security in SELinux is not based on the name of the application, it's
> based on the security label bound to the binary being executed.
I know how selinux works.
I see your point, selinux is supposed to control each datflow even if it
sometimes is not that good idea.
> > Anyway you can easily add lsm hook into both sending/receiving pathes in
> > connector code, it fully controls the traffic before it reached socket
> > queue or user's callback.
>
> There are already LSM hooks which allow this, it's a matter of not wanting
> to have to parse arbitrarily implemented Netlink protocols to determine
> what the messages are.
I mean you can control messages based on cn_mcg->id structure, since
cn_msg is a header for all connector messages.
> - James
> --
> James Morris
> <jmorris@namei.org>
--
Evgeniy Polyakov
next prev parent reply other threads:[~2006-05-30 19:09 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-26 20:04 Refactor Netlink connector? James Morris
2006-05-26 23:06 ` Patrick McHardy
2006-05-27 13:46 ` Evgeniy Polyakov
2006-05-27 16:45 ` James Morris
2006-05-27 17:21 ` James Morris
2006-05-28 15:33 ` Evgeniy Polyakov
2006-05-29 6:36 ` David Miller
2006-05-29 12:11 ` jamal
2006-05-30 14:22 ` James Morris
2006-05-31 12:00 ` jamal
2006-05-31 13:09 ` Thomas Graf
2006-05-30 14:18 ` James Morris
2006-05-30 18:03 ` Evgeniy Polyakov
2006-05-30 18:58 ` James Morris
2006-05-30 19:09 ` Evgeniy Polyakov [this message]
2006-05-31 3:00 ` Thomas Graf
2006-05-31 12:20 ` jamal
2006-05-31 13:06 ` Thomas Graf
2006-05-31 13:22 ` jamal
2006-05-31 15:42 ` James Morris
2006-06-01 10:45 ` Thomas Graf
2006-06-01 14:24 ` James Morris
2006-06-14 12:36 ` jamal
2006-06-14 15:19 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060530190906.GA3128@2ka.mipt.ru \
--to=johnpol@2ka.mipt.ru \
--cc=davem@davemloft.net \
--cc=jmorris@namei.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=tgraf@suug.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.