From: Paul Moore <paul.moore@hp.com>
To: vyekkirala@TrustedCS.com
Cc: "KaiGai Kohei" <kaigai@kaigai.gr.jp>,
"KaiGai Kohei" <kaigai@ak.jp.nec.com>,
"Stephen Smalley" <sds@tycho.nsa.gov>, "Joe Nall" <joe@nall.com>,
"SELinux Mail List" <selinux@tycho.nsa.gov>,
ewalsh@tycho.nsa.gov
Subject: Re: generic fallbacks of getpeercon (Re: [redhat-lspp] Labeling an interface)
Date: Wed, 6 Jun 2007 15:37:49 -0400 [thread overview]
Message-ID: <200706061537.49417.paul.moore@hp.com> (raw)
In-Reply-To: <000701c7a868$fbdc6a60$cc0a010a@tcssec.com>
On Wednesday, June 6 2007 2:32:04 pm Venkat Yekkirala wrote:
> > > It's preferable, if we can configure the fallbacked client context
> > > directly, as follows:
> > > 192.168.1.0/24 --> system_u:system_r:sepgsql_client_t
> > > 192.168.2.0/24 -->
> > > system_u:system_r:sepgsql_trusted_client_t:SystemLow-SystemHigh
> >
> > That is exactly what I am intending to implement; the system
> > administrator
> > would specify a interface/address/netmask that would match to
> > a _full_
> > SELinux context as you have described above.
>
> I see 2 drawbacks with this approach:
>
> 1. We aren't leveraging secmark (and the fine-grained policy that it
> can offer) which was supposed to move us away from
> individual/stand-alone netif/node labels here.
We decided long ago to keep the two types of labels, internal and external,
separate because merging the two made the policy to difficult to understand,
write, and analyze. I still believe this to be the correct decision. This
approach deliberately avoids making use of the SECMARK labels for this
reason.
I view SECMARK, or any other internal labeling mechanism, as a way to
introduce SELinux access controls into the Linux netfilter mechanism which
provides a much more flexible and cleaner alternative to the
compat_net/netif/node labels we used to have. NetLabel/CIPSO, labeled IPsec,
or any other external labeling mechanism is a way for domains to communicate
their labels across the network. The two labeling mechanisms, internal and
external, both provide packet level access controls but for two completely
different purposes.
The proposal here is to introduce a static external label for single label
networks where the remote domain is not explicitly labeling it's network
traffic. This is a common request from people with existing trusted OS
installations and would be a nice compliment to the existing labeling
mechanisms, both internal and external.
> 2. Redundant labeling (atleast MLS-wise) and the potential for
> inconsistency.
You have the possibility for the same "redundancy" between the existing
external and internal labels. Simply providing another method of determining
external labels does not cause any new redundancy that did not exist before.
If there is a disparity between the internal and external labels it is either
because the policy is incorrect or the connection should not be allowed.
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-06-06 19:37 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <C32347D4-3E32-4741-B847-6826EED3BB7A@nall.com>
[not found] ` <1180631739.3340.309.camel@moss-spartans.epoch.ncsc.mil>
2007-06-02 17:46 ` generic fallbacks of getpeercon (Re: [redhat-lspp] Labeling an interface) KaiGai Kohei
2007-06-04 10:52 ` KaiGai Kohei
2007-06-04 14:17 ` Stephen Smalley
2007-06-04 19:28 ` Paul Moore
2007-06-06 3:12 ` KaiGai Kohei
2007-06-06 11:45 ` Paul Moore
2007-06-06 13:38 ` Venkat Yekkirala
2007-06-06 13:47 ` Paul Moore
2007-06-06 14:28 ` Stephen Smalley
2007-06-06 17:25 ` KaiGai Kohei
2007-06-06 17:34 ` Stephen Smalley
2007-06-06 17:52 ` KaiGai Kohei
2007-06-06 18:01 ` Stephen Smalley
2007-06-06 18:37 ` Venkat Yekkirala
2007-06-06 18:47 ` Stephen Smalley
2007-06-06 17:23 ` KaiGai Kohei
2007-06-06 17:42 ` Paul Moore
2007-06-06 18:32 ` Venkat Yekkirala
2007-06-06 19:37 ` Paul Moore [this message]
2007-06-06 20:31 ` Joshua Brindle
2007-06-06 20:48 ` Paul Moore
2007-06-06 21:19 ` Joshua Brindle
2007-06-06 21:34 ` Paul Moore
2007-06-06 21:39 ` Eamon Walsh
2007-06-07 6:55 ` KaiGai Kohei
2007-06-07 7:42 ` KaiGai Kohei
2007-06-07 11:51 ` Paul Moore
2007-06-07 14:10 ` KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200706061537.49417.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=ewalsh@tycho.nsa.gov \
--cc=joe@nall.com \
--cc=kaigai@ak.jp.nec.com \
--cc=kaigai@kaigai.gr.jp \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.