[RFC] use the netmsg initial SID for NetLabel connections

[RFC] use the netmsg initial SID for NetLabel connections

[Paul Moore]

This is a simple RFC patch for the Reference Policy to go along with the
proposed NetLabel kernel changes to use the netmsg initial SID, the kernel
change thread can be found here:

 * http://marc.info/?t=117394234100037&r=1&w=2

The basic idea is that NetLabel would use the netmsg initial SID as the
base/TE context for MLS-only connections and the unlabeled SID for
connections that did not have have security attributes at all, true
unlabeled connections.  The reason for doing this would be to enable us
to allow/disallow unlabeled NetLabel traffic on a per-domain basis;
something that is not easily possible with the current approach of using
the unlabeled SID as the base/TE context for MLS-only connections.

I don't consider the changes below to be complete, there would still need
to be changes to all of the user and application domains, but I want to
start a conversation on the "right" way to do this.  Chris, Dan, I'm
especially interested in what the two of you have to say.

FYI: This _really_ is a RFC patch, I haven't even compile tested it, I'm
just using it as a starting point for the conversation.

---
 policy/mls                              |    5 
 policy/modules/kernel/corenetwork.if.in |   88 ++++++++++++++
 policy/modules/kernel/kernel.if         |  194 +++++++++++++++++++++++++++++---
 policy/modules/kernel/kernel.te         |    8 +
 4 files changed, 276 insertions(+), 19 deletions(-)

Index: refpolicy_svn_repo/policy/mls
===================================================================
--- refpolicy_svn_repo.orig/policy/mls
+++ refpolicy_svn_repo/policy/mls
@@ -182,11 +182,12 @@ mlsconstrain { socket tcp_socket udp_soc
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsnetwrite ));
 
-# used by netlabel to restrict normal domains to same level connections
+# used by netlabel to restrict normal domains to same level connections unless the connection is unlabeled
 mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
 	(( l1 eq l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
-	 ( t1 == mlsnetread ));
+	 ( t1 == mlsnetread ) or
+	 ( t2 == unlabeled_t ));
 
 # these access vectors have no MLS restrictions
 # { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in
+++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
@@ -1602,6 +1602,20 @@ interface(`corenet_dontaudit_non_ipsec_s
 ## </param>
 #
 interface(`corenet_tcp_recv_netlabel',`
+	kernel_tcp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##      Receive TCP packets from an unlabled connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_recv_unlabeled',`
 	kernel_tcp_recvfrom_unlabeled($1)
 ')
 
@@ -1617,6 +1631,21 @@ interface(`corenet_tcp_recv_netlabel',`
 ## </param>
 #
 interface(`corenet_dontaudit_tcp_recv_netlabel',`
+	kernel_dontaudit_tcp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive TCP packets from an unlabeled
+##      connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_recv_unlabeled',`
 	kernel_dontaudit_tcp_recvfrom_unlabeled($1)
 ')
 
@@ -1631,6 +1660,20 @@ interface(`corenet_dontaudit_tcp_recv_ne
 ## </param>
 #
 interface(`corenet_udp_recv_netlabel',`
+	kernel_udp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##      Receive UDP packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_recv_unlabeled',`
 	kernel_udp_recvfrom_unlabeled($1)
 ')
 
@@ -1646,6 +1689,21 @@ interface(`corenet_udp_recv_netlabel',`
 ## </param>
 #
 interface(`corenet_dontaudit_udp_recv_netlabel',`
+	kernel_dontaudit_udp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive UDP packets from an unlabeled
+##      connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_recv_unlabeled',`
 	kernel_dontaudit_udp_recvfrom_unlabeled($1)
 ')
 
@@ -1660,6 +1718,20 @@ interface(`corenet_dontaudit_udp_recv_ne
 ## </param>
 #
 interface(`corenet_raw_recv_netlabel',`
+	kernel_raw_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##      Receive Raw IP packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_recv_unlabeled',`
 	kernel_raw_recvfrom_unlabeled($1)
 ')
 
@@ -1675,9 +1747,25 @@ interface(`corenet_raw_recv_netlabel',`
 ## </param>
 #
 interface(`corenet_dontaudit_raw_recv_netlabel',`
+	kernel_dontaudit_raw_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive Raw IP packets from an unlabeled
+##      connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_raw_recv_unlabeled',`
 	kernel_dontaudit_raw_recvfrom_unlabeled($1)
 ')
 
+
 ########################################
 ## <summary>
 ##	Send generic client packets.
Index: refpolicy_svn_repo/policy/modules/kernel/kernel.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.if
+++ refpolicy_svn_repo/policy/modules/kernel/kernel.if
@@ -2207,8 +2207,34 @@ interface(`kernel_dontaudit_sendrecv_unl
 ##      similar protocols.
 ##      </p>
 ##	<p>
-##	The corenetwork interface
-##	corenet_tcp_recv_netlabel() should
+##	The corenetwork interface corenet_tcp_recv_netlabel() should
+##	be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_tcp_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	allow $1 netlabel_peer_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Receive TCP packets from an unlabeled connection.
+## </summary>
+## <desc>
+##	<p>
+##      Receive TCP packets from an unlabeled connection.
+##      </p>
+##	<p>
+##	The corenetwork interface corenet_tcp_recv_unlabeled() should
 ##	be used instead of this one.
 ##	</p>
 ## </desc>
@@ -2238,9 +2264,37 @@ interface(`kernel_tcp_recvfrom_unlabeled
 ##      which implements CIPSO and similar protocols.
 ##      </p>
 ##	<p>
-##	The corenetwork interface
-##	corenet_dontaudit_tcp_recv_netlabel() should
-##	be used instead of this one.
+##	The corenetwork interface corenet_dontaudit_tcp_recv_netlabel()
+##      should be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_tcp_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	dontaudit $1 netlabel_peer_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive TCP packets from an unlabeled
+##	connection.
+## </summary>
+## <desc>
+##	<p>
+##      Do not audit attempts to receive TCP packets from an unlabeled
+##	connection.
+##      </p>
+##	<p>
+##	The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
+##	should be used instead of this one.
 ##	</p>
 ## </desc>
 ## <param name="domain">
@@ -2268,8 +2322,34 @@ interface(`kernel_dontaudit_tcp_recvfrom
 ##      similar protocols.
 ##      </p>
 ##	<p>
-##	The corenetwork interface
-##	corenet_udp_recv_netlabel() should
+##	The corenetwork interface corenet_udp_recv_netlabel() should
+##	be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_udp_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	allow $1 netlabel_peer_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Receive UDP packets from an unlabeled connection.
+## </summary>
+## <desc>
+##	<p>
+##      Receive UDP packets from an unlabeled connection.
+##      </p>
+##	<p>
+##	The corenetwork interface corenet_udp_recv_unlabeled() should
 ##	be used instead of this one.
 ##	</p>
 ## </desc>
@@ -2299,9 +2379,37 @@ interface(`kernel_udp_recvfrom_unlabeled
 ##      which implements CIPSO and similar protocols.
 ##      </p>
 ##	<p>
-##	The corenetwork interface
-##	corenet_dontaudit_udp_recv_netlabel() should
-##	be used instead of this one.
+##	The corenetwork interface corenet_dontaudit_udp_recv_netlabel()
+##	should be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_udp_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	dontaudit $1 netlabel_peer_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive UDP packets from an unlabeled
+##	connection.
+## </summary>
+## <desc>
+##	<p>
+##      Do not audit attempts to receive UDP packets from an unlabeled
+##	connection.
+##      </p>
+##	<p>
+##	The corenetwork interface corenet_dontaudit_udp_recv_unlabeled()
+##	should be used instead of this one.
 ##	</p>
 ## </desc>
 ## <param name="domain">
@@ -2329,8 +2437,34 @@ interface(`kernel_dontaudit_udp_recvfrom
 ##      similar protocols.
 ##      </p>
 ##	<p>
-##	The corenetwork interface
-##	corenet_raw_recv_netlabel() should
+##	The corenetwork interface corenet_raw_recv_netlabel() should be
+##	used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_raw_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	allow $1 netlabel_peer_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Receive Raw IP packets from an unlabeled connection.
+## </summary>
+## <desc>
+##	<p>
+##      Receive Raw IP packets from an unlabeled connection.
+##      </p>
+##	<p>
+##	The corenetwork interface corenet_raw_recv_unlabeled() should
 ##	be used instead of this one.
 ##	</p>
 ## </desc>
@@ -2345,7 +2479,7 @@ interface(`kernel_raw_recvfrom_unlabeled
 		type unlabeled_t;
 	')
 
-	allow $1 unlabeled_t:rawip_socket recvfrom;
+	allow $1 unlabeled_t:raw_socket recvfrom;
 ')
 
 ########################################
@@ -2360,9 +2494,37 @@ interface(`kernel_raw_recvfrom_unlabeled
 ##      which implements CIPSO and similar protocols.
 ##      </p>
 ##	<p>
-##	The corenetwork interface
-##	corenet_dontaudit_raw_recv_netlabel() should
-##	be used instead of this one.
+##	The corenetwork interface corenet_dontaudit_raw_recv_netlabel()
+##	should be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_raw_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive Raw IP packets from an unlabeled
+##	connection.
+## </summary>
+## <desc>
+##	<p>
+##      Do not audit attempts to receive Raw IP packets from an unlabeled
+##	connection.
+##      </p>
+##	<p>
+##	The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
+##	should be used instead of this one.
 ##	</p>
 ## </desc>
 ## <param name="domain">
Index: refpolicy_svn_repo/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.te
+++ refpolicy_svn_repo/policy/modules/kernel/kernel.te
@@ -139,6 +139,13 @@ type sysctl_dev_t, sysctl_type;
 genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
 
 #
+# The netmsg inital SID is used by the kernel's NetLabel subsystem for network
+# connections which do not carry full SELinux contexts.
+#
+type netlabel_peer_t;
+sid netmsg		gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
+
+#
 # unlabeled_t is the type of unlabeled objects.
 # Objects that have no known labeling information or that
 # have labels that are no longer valid are treated as having this type.
@@ -153,7 +160,6 @@ sid icmp_socket		gen_context(system_u:ob
 sid igmp_packet		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 sid init		gen_context(system_u:object_r:unlabeled_t,s0)
 sid kmod		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-sid netmsg		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 sid policy		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 sid scmp_packet		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 sid sysctl_modprobe 	gen_context(system_u:object_r:unlabeled_t,s0)

-- 
paul moore
linux security @ hp


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] use the netmsg initial SID for NetLabel connections

[Christopher J. PeBenito]

On Thu, 2007-06-07 at 16:58 -0400, Paul Moore wrote:
> This is a simple RFC patch for the Reference Policy to go along with the
> proposed NetLabel kernel changes to use the netmsg initial SID, the kernel
> change thread can be found here:
> 
>  * http://marc.info/?t=117394234100037&r=1&w=2
> 
> The basic idea is that NetLabel would use the netmsg initial SID as the
> base/TE context for MLS-only connections and the unlabeled SID for
> connections that did not have have security attributes at all, true
> unlabeled connections.  The reason for doing this would be to enable us
> to allow/disallow unlabeled NetLabel traffic on a per-domain basis;
> something that is not easily possible with the current approach of using
> the unlabeled SID as the base/TE context for MLS-only connections.
> 
> I don't consider the changes below to be complete, there would still need
> to be changes to all of the user and application domains, but I want to
> start a conversation on the "right" way to do this.  Chris, Dan, I'm
> especially interested in what the two of you have to say.
[...]
> --- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.te
> +++ refpolicy_svn_repo/policy/modules/kernel/kernel.te
> @@ -139,6 +139,13 @@ type sysctl_dev_t, sysctl_type;
>  genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
>  
>  #
> +# The netmsg inital SID is used by the kernel's NetLabel subsystem for network
> +# connections which do not carry full SELinux contexts.
> +#
> +type netlabel_peer_t;
> +sid netmsg		gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
> +
> +#
>  # unlabeled_t is the type of unlabeled objects.
>  # Objects that have no known labeling information or that
>  # have labels that are no longer valid are treated as having this type.
> @@ -153,7 +160,6 @@ sid icmp_socket		gen_context(system_u:ob
>  sid igmp_packet		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
>  sid init		gen_context(system_u:object_r:unlabeled_t,s0)
>  sid kmod		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> -sid netmsg		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
>  sid policy		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
>  sid scmp_packet		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
>  sid sysctl_modprobe 	gen_context(system_u:object_r:unlabeled_t,s0)

The type declaration and initial sid line should move over to
corenetwork (with corresponding interface changes).  The only reason
there were netlabel interfaces in the kernel module were because they
were using unlabeled_t.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] use the netmsg initial SID for NetLabel connections

[Paul Moore]

On Friday, June 8 2007 9:36:51 am Christopher J. PeBenito wrote:
> On Thu, 2007-06-07 at 16:58 -0400, Paul Moore wrote:
> > --- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.te
> > +++ refpolicy_svn_repo/policy/modules/kernel/kernel.te
> > @@ -139,6 +139,13 @@ type sysctl_dev_t, sysctl_type;
> >  genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
> >
> >  #
> > +# The netmsg inital SID is used by the kernel's NetLabel subsystem for
> > network +# connections which do not carry full SELinux contexts.
> > +#
> > +type netlabel_peer_t;
> > +sid
> > netmsg		gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh) +
> > +#
> >  # unlabeled_t is the type of unlabeled objects.
> >  # Objects that have no known labeling information or that
> >  # have labels that are no longer valid are treated as having this type.
> > @@ -153,7 +160,6 @@ sid icmp_socket		gen_context(system_u:ob
> >  sid
> > igmp_packet		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> > sid init		gen_context(system_u:object_r:unlabeled_t,s0)
> >  sid kmod		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> > -sid netmsg		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> >  sid policy		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> >  sid
> > scmp_packet		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> > sid sysctl_modprobe 	gen_context(system_u:object_r:unlabeled_t,s0)
>
> The type declaration and initial sid line should move over to
> corenetwork (with corresponding interface changes).  The only reason
> there were netlabel interfaces in the kernel module were because they
> were using unlabeled_t.

Okay, that makes sense.

I still have a question about the best way to provide both labeled and 
unlabeled NetLabel support to all of the user/application domains in the 
policy.  I don't have a problem going through all the individual domains and 
adding calls like these:

  corenet_{tcp,udp,raw}_recv_unlabeled(<domain>)
  corenet_{tcp,udp,raw}_recv_netlabel(<domain>)

... but I was wondering if there was another way I should go about making the 
change?

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] use the netmsg initial SID for NetLabel connections

[Christopher J. PeBenito]

On Fri, 2007-06-08 at 09:58 -0400, Paul Moore wrote:
> On Friday, June 8 2007 9:36:51 am Christopher J. PeBenito wrote:
> > On Thu, 2007-06-07 at 16:58 -0400, Paul Moore wrote:
> > > --- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.te
> > > +++ refpolicy_svn_repo/policy/modules/kernel/kernel.te
> > > @@ -139,6 +139,13 @@ type sysctl_dev_t, sysctl_type;
> > >  genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
> > >
> > >  #
> > > +# The netmsg inital SID is used by the kernel's NetLabel subsystem for
> > > network +# connections which do not carry full SELinux contexts.
> > > +#
> > > +type netlabel_peer_t;
> > > +sid
> > > netmsg		gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh) +
> > > +#
> > >  # unlabeled_t is the type of unlabeled objects.
> > >  # Objects that have no known labeling information or that
> > >  # have labels that are no longer valid are treated as having this type.
> > > @@ -153,7 +160,6 @@ sid icmp_socket		gen_context(system_u:ob
> > >  sid
> > > igmp_packet		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> > > sid init		gen_context(system_u:object_r:unlabeled_t,s0)
> > >  sid kmod		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> > > -sid netmsg		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> > >  sid policy		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> > >  sid
> > > scmp_packet		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
> > > sid sysctl_modprobe 	gen_context(system_u:object_r:unlabeled_t,s0)
> >
> > The type declaration and initial sid line should move over to
> > corenetwork (with corresponding interface changes).  The only reason
> > there were netlabel interfaces in the kernel module were because they
> > were using unlabeled_t.
> 
> Okay, that makes sense.
> 
> I still have a question about the best way to provide both labeled and 
> unlabeled NetLabel support to all of the user/application domains in the 
> policy.  I don't have a problem going through all the individual domains and 
> adding calls like these:
> 
>   corenet_{tcp,udp,raw}_recv_unlabeled(<domain>)
>   corenet_{tcp,udp,raw}_recv_netlabel(<domain>)
> 
> ... but I was wondering if there was another way I should go about making the 
> change?

No, that's the right method.  I've been thinking about if this is the
right vocabulary for the interfaces; I'd like to make it workable for
labeled ipsec too.  The problem is that ipsec is a little different,
where you might have interfaces like apache_tcp_recvfrom_user_script().

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] use the netmsg initial SID for NetLabel connections

[Paul Moore]

On Tuesday, June 12 2007 8:12:16 am Christopher J. PeBenito wrote:
> On Fri, 2007-06-08 at 09:58 -0400, Paul Moore wrote:
> > I still have a question about the best way to provide both labeled and
> > unlabeled NetLabel support to all of the user/application domains in the
> > policy.  I don't have a problem going through all the individual domains
> > and adding calls like these:
> >
> >   corenet_{tcp,udp,raw}_recv_unlabeled(<domain>)
> >   corenet_{tcp,udp,raw}_recv_netlabel(<domain>)
> >
> > ... but I was wondering if there was another way I should go about making
> > the change?
>
> No, that's the right method.  I've been thinking about if this is the
> right vocabulary for the interfaces; I'd like to make it workable for
> labeled ipsec too.

Yes, especially for the unlabeled case.  I would think having a single 
interface to allow a domain to receive unlabeled traffic would be much better 
than two.

> The problem is that ipsec is a little different, 
> where you might have interfaces like apache_tcp_recvfrom_user_script().

Yes, you also have all the SPD matching issues to deal with.  Hopefully later 
this year I'll have NetLabel supporting full SELinux contexts which should 
make NetLabel and IPsec very similar in regards to packet subject/object 
labels; the class/permissions will still be different but that is more of an 
interface implementation issue than an actual interface/API issue.

Thanks for you help, I'll hope to have a patch for you to review within a week 
or two that adds the corenet/NetLabel interfaces to the policy in SVN.  I'd 
like to get this accepted and merged before I push the final kernel patch up 
to James/Stephen as the kernel changes require a new/updated policy to work 
correctly.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.