From: Paul Moore <paul.moore@hp.com>
To: Joshua Brindle <jbrindle@tresys.com>
Cc: Chad Hanson <chanson@TrustedCS.com>,
James Morris <jmorris@namei.org>,
selinux@tycho.nsa.gov, sds@tycho.nsa.gov, cpebenito@tresys.com,
Venkat Yekkirala <vyekkirala@TrustedCS.com>
Subject: Re: Q: SECMARK controls on forwarded packets
Date: Thu, 10 Jan 2008 14:10:09 -0500 [thread overview]
Message-ID: <200801101410.10082.paul.moore@hp.com> (raw)
In-Reply-To: <47866A60.40002@tresys.com>
On Thursday 10 January 2008 1:56:32 pm Joshua Brindle wrote:
> Paul Moore wrote:
> > On Thursday 10 January 2008 10:32:10 am Chad Hanson wrote:
> >> These controls look good to us...
> >
> > Great. I'm assuming the lack of complaints means others are happy
> > with this as well.
>
> I haven't gotten around to looking at the rfc in detail but it looks
> like the secmark/external labeling concepts are being merged again
> when we already decided to keep them as separate systems.
No, the secmark and peer/external labeling concepts are _not_ being
merged. The peer/external label will continue to represent the label
of the socket that sent the data (peer label = firefox_t) while the
secmark label will continue to represent the packet's IP attributes
such as port information (secmark label = http_packet_t). Nothing has
changed in this regard and I don't expect it to anytime soon.
I assume the source of confusion are the following permissions:
- inbound forwaded traffic permissions
# is apache allowed to forward web traffic through this system?
allow peer_t secmark_t:packet forward_in;
- outbound forwarded traffic permissions
# is apache allowed to forward web traffic through this system?
allow peer_t secmark_t:packet forward_out;
In both cases we cannot use the socket's label as this packet is neither
generated by or consumed by a local socket (forwarded traffic).
However, we can still perform a meaningful secmark access check by
checking the secmark label against the peer label; this is similar to
how we check the secmark label against the socket label for regular
(non-forwarded) traffic. The key here is to remember that the peer
label represents the original socket's label even though in the
forwarded case the socket happens to be located on a different machine.
Make more sense now?
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-01-10 19:10 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-09 4:30 Q: SECMARK controls on forwarded packets Paul Moore
2008-01-09 12:51 ` Stephen Smalley
2008-01-09 13:30 ` Paul Moore
2008-01-09 13:39 ` Stephen Smalley
2008-01-09 15:36 ` Paul Moore
2008-01-09 14:04 ` James Morris
2008-01-09 20:48 ` Paul Moore
2008-01-09 23:35 ` Paul Moore
2008-01-10 15:32 ` Chad Hanson
2008-01-10 16:47 ` Paul Moore
2008-01-10 18:56 ` Joshua Brindle
2008-01-10 19:10 ` Paul Moore [this message]
2008-01-10 20:04 ` Joshua Brindle
2008-01-10 20:07 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200801101410.10082.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=chanson@TrustedCS.com \
--cc=cpebenito@tresys.com \
--cc=jbrindle@tresys.com \
--cc=jmorris@namei.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.