* [PATCH 0/4] Reference Policy patches for the new labeled networking code in 2.6.25
@ 2008-02-08 21:25 paul.moore
2008-02-08 21:25 ` [PATCH 1/4] REFPOL: Add "rogue" Fedora packet class permissions paul.moore
` (3 more replies)
0 siblings, 4 replies; 15+ messages in thread
From: paul.moore @ 2008-02-08 21:25 UTC (permalink / raw)
To: selinux
Four relatively small patches to Reference Policy to support the new labeled
networking controls which are now in Linus' tree and scheduled for 2.6.25.
The first three patches have been posted previously but are not yet in SVN,
while the last patch is new.
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread* [PATCH 1/4] REFPOL: Add "rogue" Fedora packet class permissions 2008-02-08 21:25 [PATCH 0/4] Reference Policy patches for the new labeled networking code in 2.6.25 paul.moore @ 2008-02-08 21:25 ` paul.moore 2008-02-12 14:35 ` Christopher J. PeBenito 2008-02-08 21:25 ` [PATCH 2/4] REFPOL: Add forwarding permissions to the packet object class paul.moore ` (2 subsequent siblings) 3 siblings, 1 reply; 15+ messages in thread From: paul.moore @ 2008-02-08 21:25 UTC (permalink / raw) To: selinux; +Cc: Paul Moore At some point in the Fedora 6 timeframe the "flow_in" and "flow_out" permissions were added to the "packet" class, most likely as part of the ill-fated secid-reconciliation effort. Despite the fact that these permissions are not currently used they should be included in the Reference Policy as they are now a permanent fixture in Fedora and it is crucial that the FLASK defines be kept in sync. This patch needs to be applied before any other patches that affect the "packet" class, otherwise the resulting policy may not load. Signed-off-by: Paul Moore <paul.moore@hp.com> --- policy/flask/access_vectors | 2 ++ 1 file changed, 2 insertions(+) Index: refpolicy_svn_repo/policy/flask/access_vectors =================================================================== --- refpolicy_svn_repo.orig/policy/flask/access_vectors +++ refpolicy_svn_repo/policy/flask/access_vectors @@ -650,6 +650,8 @@ class packet send recv relabelto + flow_in # not currently in use + flow_out # not currently in use } class key -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 1/4] REFPOL: Add "rogue" Fedora packet class permissions 2008-02-08 21:25 ` [PATCH 1/4] REFPOL: Add "rogue" Fedora packet class permissions paul.moore @ 2008-02-12 14:35 ` Christopher J. PeBenito 0 siblings, 0 replies; 15+ messages in thread From: Christopher J. PeBenito @ 2008-02-12 14:35 UTC (permalink / raw) To: paul.moore; +Cc: selinux On Fri, 2008-02-08 at 16:25 -0500, paul.moore@hp.com wrote: > plain text document attachment (refpol-flask_fedora_fix) > At some point in the Fedora 6 timeframe the "flow_in" and "flow_out" > permissions were added to the "packet" class, most likely as part of the > ill-fated secid-reconciliation effort. Despite the fact that these permissions > are not currently used they should be included in the Reference Policy as they > are now a permanent fixture in Fedora and it is crucial that the FLASK > defines be kept in sync. > > This patch needs to be applied before any other patches that affect the > "packet" class, otherwise the resulting policy may not load. Merged. > Signed-off-by: Paul Moore <paul.moore@hp.com> > --- > policy/flask/access_vectors | 2 ++ > 1 file changed, 2 insertions(+) > > Index: refpolicy_svn_repo/policy/flask/access_vectors > =================================================================== > --- refpolicy_svn_repo.orig/policy/flask/access_vectors > +++ refpolicy_svn_repo/policy/flask/access_vectors > @@ -650,6 +650,8 @@ class packet > send > recv > relabelto > + flow_in # not currently in use > + flow_out # not currently in use > } > > class key > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH 2/4] REFPOL: Add forwarding permissions to the packet object class 2008-02-08 21:25 [PATCH 0/4] Reference Policy patches for the new labeled networking code in 2.6.25 paul.moore 2008-02-08 21:25 ` [PATCH 1/4] REFPOL: Add "rogue" Fedora packet class permissions paul.moore @ 2008-02-08 21:25 ` paul.moore 2008-02-12 14:36 ` Christopher J. PeBenito 2008-02-08 21:25 ` [PATCH 3/4] REFPOL: Remove the unlabeled_t SECMARK policy in kernel_sendrecv_unlabeled_association paul.moore 2008-02-08 21:25 ` [PATCH 4/4] REFPOL: Add new labeled networking permissions paul.moore 3 siblings, 1 reply; 15+ messages in thread From: paul.moore @ 2008-02-08 21:25 UTC (permalink / raw) To: selinux; +Cc: Paul Moore Add the 'forward_in' and 'forward_out' permissions to the packet object class to support the new forwarding controls added to the 2.6.25 kernel. Signed-off-by: Paul Moore <paul.moore@hp.com> --- policy/flask/access_vectors | 2 ++ 1 file changed, 2 insertions(+) Index: refpolicy_svn_repo/policy/flask/access_vectors =================================================================== --- refpolicy_svn_repo.orig/policy/flask/access_vectors +++ refpolicy_svn_repo/policy/flask/access_vectors @@ -652,6 +652,8 @@ class packet relabelto flow_in # not currently in use flow_out # not currently in use + forward_in + forward_out } class key -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 2/4] REFPOL: Add forwarding permissions to the packet object class 2008-02-08 21:25 ` [PATCH 2/4] REFPOL: Add forwarding permissions to the packet object class paul.moore @ 2008-02-12 14:36 ` Christopher J. PeBenito 0 siblings, 0 replies; 15+ messages in thread From: Christopher J. PeBenito @ 2008-02-12 14:36 UTC (permalink / raw) To: paul.moore; +Cc: selinux On Fri, 2008-02-08 at 16:25 -0500, paul.moore@hp.com wrote: > plain text document attachment (refpol-flask_perms) > Add the 'forward_in' and 'forward_out' permissions to the packet object class > to support the new forwarding controls added to the 2.6.25 kernel. Merged. > Signed-off-by: Paul Moore <paul.moore@hp.com> > --- > policy/flask/access_vectors | 2 ++ > 1 file changed, 2 insertions(+) > > Index: refpolicy_svn_repo/policy/flask/access_vectors > =================================================================== > --- refpolicy_svn_repo.orig/policy/flask/access_vectors > +++ refpolicy_svn_repo/policy/flask/access_vectors > @@ -652,6 +652,8 @@ class packet > relabelto > flow_in # not currently in use > flow_out # not currently in use > + forward_in > + forward_out > } > > class key > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH 3/4] REFPOL: Remove the unlabeled_t SECMARK policy in kernel_sendrecv_unlabeled_association 2008-02-08 21:25 [PATCH 0/4] Reference Policy patches for the new labeled networking code in 2.6.25 paul.moore 2008-02-08 21:25 ` [PATCH 1/4] REFPOL: Add "rogue" Fedora packet class permissions paul.moore 2008-02-08 21:25 ` [PATCH 2/4] REFPOL: Add forwarding permissions to the packet object class paul.moore @ 2008-02-08 21:25 ` paul.moore 2008-02-12 14:37 ` Christopher J. PeBenito 2008-02-08 21:25 ` [PATCH 4/4] REFPOL: Add new labeled networking permissions paul.moore 3 siblings, 1 reply; 15+ messages in thread From: paul.moore @ 2008-02-08 21:25 UTC (permalink / raw) To: selinux; +Cc: Paul Moore There is really no need for the SECMARK policy hack in the kernel_sendrecv_unlabeled_association() interface since we already have an interface call, kernel_sendrecv_unlabeled_packets(), which handles the unlabeled SECMARK case. Remove the hack and use the kernel_sendrecv_unlabeled_packets() where appropriate. Signed-off-by: Paul Moore <paul.moore@hp.com> --- policy/modules/kernel/corenetwork.if.in | 4 ++++ policy/modules/kernel/kernel.if | 3 --- 2 files changed, 4 insertions(+), 3 deletions(-) Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in =================================================================== --- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in +++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in @@ -1752,6 +1752,7 @@ interface(`corenet_tcp_recvfrom_netlabel # interface(`corenet_tcp_recvfrom_unlabeled',` kernel_tcp_recvfrom_unlabeled($1) + kernel_sendrecv_unlabeled_packets($1) # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break @@ -1859,6 +1860,7 @@ interface(`corenet_udp_recvfrom_netlabel # interface(`corenet_udp_recvfrom_unlabeled',` kernel_udp_recvfrom_unlabeled($1) + kernel_sendrecv_unlabeled_packets($1) # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break @@ -1966,6 +1968,7 @@ interface(`corenet_raw_recvfrom_netlabel # interface(`corenet_raw_recvfrom_unlabeled',` kernel_raw_recvfrom_unlabeled($1) + kernel_sendrecv_unlabeled_packets($1) # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break @@ -2042,6 +2045,7 @@ interface(`corenet_all_recvfrom_unlabele kernel_tcp_recvfrom_unlabeled($1) kernel_udp_recvfrom_unlabeled($1) kernel_raw_recvfrom_unlabeled($1) + kernel_sendrecv_unlabeled_packets($1) # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break Index: refpolicy_svn_repo/policy/modules/kernel/kernel.if =================================================================== --- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.if +++ refpolicy_svn_repo/policy/modules/kernel/kernel.if @@ -2255,9 +2255,6 @@ interface(`kernel_sendrecv_unlabeled_ass ') allow $1 unlabeled_t:association { sendto recvfrom }; - - # temporary hack until labeling on packets is supported - allow $1 unlabeled_t:packet { send recv }; ') ######################################## -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 3/4] REFPOL: Remove the unlabeled_t SECMARK policy in kernel_sendrecv_unlabeled_association 2008-02-08 21:25 ` [PATCH 3/4] REFPOL: Remove the unlabeled_t SECMARK policy in kernel_sendrecv_unlabeled_association paul.moore @ 2008-02-12 14:37 ` Christopher J. PeBenito 2008-02-14 3:50 ` Paul Moore 0 siblings, 1 reply; 15+ messages in thread From: Christopher J. PeBenito @ 2008-02-12 14:37 UTC (permalink / raw) To: paul.moore; +Cc: selinux On Fri, 2008-02-08 at 16:25 -0500, paul.moore@hp.com wrote: > plain text document attachment (refpol-secmark_perms_fix) > There is really no need for the SECMARK policy hack in the > kernel_sendrecv_unlabeled_association() interface since we already have an > interface call, kernel_sendrecv_unlabeled_packets(), which handles the > unlabeled SECMARK case. Remove the hack and use the > kernel_sendrecv_unlabeled_packets() where appropriate. I don't think this is any better as, in reality, there should be no mixing of secmark rules with labeled networking rules since they are orthogonal. > Signed-off-by: Paul Moore <paul.moore@hp.com> > --- > policy/modules/kernel/corenetwork.if.in | 4 ++++ > policy/modules/kernel/kernel.if | 3 --- > 2 files changed, 4 insertions(+), 3 deletions(-) > > Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in > =================================================================== > --- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in > +++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in > @@ -1752,6 +1752,7 @@ interface(`corenet_tcp_recvfrom_netlabel > # > interface(`corenet_tcp_recvfrom_unlabeled',` > kernel_tcp_recvfrom_unlabeled($1) > + kernel_sendrecv_unlabeled_packets($1) > > # XXX - at some point the oubound/send access check will be removed > # but for right now we need to keep this in place so as not to break > @@ -1859,6 +1860,7 @@ interface(`corenet_udp_recvfrom_netlabel > # > interface(`corenet_udp_recvfrom_unlabeled',` > kernel_udp_recvfrom_unlabeled($1) > + kernel_sendrecv_unlabeled_packets($1) > > # XXX - at some point the oubound/send access check will be removed > # but for right now we need to keep this in place so as not to break > @@ -1966,6 +1968,7 @@ interface(`corenet_raw_recvfrom_netlabel > # > interface(`corenet_raw_recvfrom_unlabeled',` > kernel_raw_recvfrom_unlabeled($1) > + kernel_sendrecv_unlabeled_packets($1) > > # XXX - at some point the oubound/send access check will be removed > # but for right now we need to keep this in place so as not to break > @@ -2042,6 +2045,7 @@ interface(`corenet_all_recvfrom_unlabele > kernel_tcp_recvfrom_unlabeled($1) > kernel_udp_recvfrom_unlabeled($1) > kernel_raw_recvfrom_unlabeled($1) > + kernel_sendrecv_unlabeled_packets($1) > > # XXX - at some point the oubound/send access check will be removed > # but for right now we need to keep this in place so as not to break > Index: refpolicy_svn_repo/policy/modules/kernel/kernel.if > =================================================================== > --- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.if > +++ refpolicy_svn_repo/policy/modules/kernel/kernel.if > @@ -2255,9 +2255,6 @@ interface(`kernel_sendrecv_unlabeled_ass > ') > > allow $1 unlabeled_t:association { sendto recvfrom }; > - > - # temporary hack until labeling on packets is supported > - allow $1 unlabeled_t:packet { send recv }; > ') > > ######################################## > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 3/4] REFPOL: Remove the unlabeled_t SECMARK policy in kernel_sendrecv_unlabeled_association 2008-02-12 14:37 ` Christopher J. PeBenito @ 2008-02-14 3:50 ` Paul Moore 0 siblings, 0 replies; 15+ messages in thread From: Paul Moore @ 2008-02-14 3:50 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: selinux On Tuesday 12 February 2008 9:37:21 am Christopher J. PeBenito wrote: > On Fri, 2008-02-08 at 16:25 -0500, paul.moore@hp.com wrote: > > plain text document attachment (refpol-secmark_perms_fix) > > There is really no need for the SECMARK policy hack in the > > kernel_sendrecv_unlabeled_association() interface since we already have > > an interface call, kernel_sendrecv_unlabeled_packets(), which handles the > > unlabeled SECMARK case. Remove the hack and use the > > kernel_sendrecv_unlabeled_packets() where appropriate. > > I don't think this is any better as, in reality, there should be no > mixing of secmark rules with labeled networking rules since they are > orthogonal. First, thanks for merging the other changes. Second, I suppose you are right about these changes, mixing them (never thought about it that way which is kinda funny everything considered) probably isn't the best thing to do long term. Thanks. -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH 4/4] REFPOL: Add new labeled networking permissions 2008-02-08 21:25 [PATCH 0/4] Reference Policy patches for the new labeled networking code in 2.6.25 paul.moore ` (2 preceding siblings ...) 2008-02-08 21:25 ` [PATCH 3/4] REFPOL: Remove the unlabeled_t SECMARK policy in kernel_sendrecv_unlabeled_association paul.moore @ 2008-02-08 21:25 ` paul.moore 2008-02-12 14:39 ` Christopher J. PeBenito 3 siblings, 1 reply; 15+ messages in thread From: paul.moore @ 2008-02-08 21:25 UTC (permalink / raw) To: selinux The 2.6.25 kernel will introduce a new set of labeled networking controls to SELinux and this patch makes the necessary changes to the Reference Policy to support unlabeled network traffic with the new controls. A description of the new/improved labeled networking controls was posted to the SELinux list back in early January 2008. * http://marc.info/?l=selinux&m=119991234501200&w=2 --- policy/modules/kernel/corenetwork.if.in | 24 ++++++++++++------------ policy/modules/kernel/kernel.if | 6 ++++++ policy/modules/kernel/kernel.te | 3 +++ 3 files changed, 21 insertions(+), 12 deletions(-) Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in =================================================================== --- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in +++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in @@ -154,7 +154,7 @@ interface(`corenet_tcp_sendrecv_generic_ type netif_t; ') - allow $1 netif_t:netif { tcp_send tcp_recv }; + allow $1 netif_t:netif { tcp_send tcp_recv egress ingress }; ') ######################################## @@ -172,7 +172,7 @@ interface(`corenet_udp_send_generic_if', type netif_t; ') - allow $1 netif_t:netif udp_send; + allow $1 netif_t:netif { udp_send egress }; ') ######################################## @@ -191,7 +191,7 @@ interface(`corenet_dontaudit_udp_send_ge type netif_t; ') - dontaudit $1 netif_t:netif udp_send; + dontaudit $1 netif_t:netif { udp_send egress }; ') ######################################## @@ -209,7 +209,7 @@ interface(`corenet_udp_receive_generic_i type netif_t; ') - allow $1 netif_t:netif udp_recv; + allow $1 netif_t:netif { udp_recv ingress }; ') ######################################## @@ -228,7 +228,7 @@ interface(`corenet_dontaudit_udp_receive type netif_t; ') - dontaudit $1 netif_t:netif udp_recv; + dontaudit $1 netif_t:netif { udp_recv ingress }; ') ######################################## @@ -277,7 +277,7 @@ interface(`corenet_raw_send_generic_if', type netif_t; ') - allow $1 netif_t:netif rawip_send; + allow $1 netif_t:netif { rawip_send egress }; ') ######################################## @@ -295,7 +295,7 @@ interface(`corenet_raw_receive_generic_i type netif_t; ') - allow $1 netif_t:netif rawip_recv; + allow $1 netif_t:netif { rawip_recv ingress }; ') ######################################## @@ -448,7 +448,7 @@ interface(`corenet_tcp_sendrecv_generic_ type node_t; ') - allow $1 node_t:node { tcp_send tcp_recv }; + allow $1 node_t:node { tcp_send tcp_recv sendto recvfrom }; ') ######################################## @@ -466,7 +466,7 @@ interface(`corenet_udp_send_generic_node type node_t; ') - allow $1 node_t:node udp_send; + allow $1 node_t:node { udp_send sendto }; ') ######################################## @@ -484,7 +484,7 @@ interface(`corenet_udp_receive_generic_n type node_t; ') - allow $1 node_t:node udp_recv; + allow $1 node_t:node { udp_recv recvfrom }; ') ######################################## @@ -517,7 +517,7 @@ interface(`corenet_raw_send_generic_node type node_t; ') - allow $1 node_t:node rawip_send; + allow $1 node_t:node { rawip_send sendto }; ') ######################################## @@ -535,7 +535,7 @@ interface(`corenet_raw_receive_generic_n type node_t; ') - allow $1 node_t:node rawip_recv; + allow $1 node_t:node { rawip_recv recvfrom }; ') ######################################## Index: refpolicy_svn_repo/policy/modules/kernel/kernel.if =================================================================== --- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.if +++ refpolicy_svn_repo/policy/modules/kernel/kernel.if @@ -2314,6 +2314,7 @@ interface(`kernel_tcp_recvfrom_unlabeled type unlabeled_t; ') + allow $1 unlabeled_t:peer recv; allow $1 unlabeled_t:tcp_socket recvfrom; ') @@ -2343,6 +2344,7 @@ interface(`kernel_dontaudit_tcp_recvfrom type unlabeled_t; ') + dontaudit $1 unlabeled_t:peer recv; dontaudit $1 unlabeled_t:tcp_socket recvfrom; ') @@ -2370,6 +2372,7 @@ interface(`kernel_udp_recvfrom_unlabeled type unlabeled_t; ') + allow $1 unlabeled_t:peer recv; allow $1 unlabeled_t:udp_socket recvfrom; ') @@ -2399,6 +2402,7 @@ interface(`kernel_dontaudit_udp_recvfrom type unlabeled_t; ') + dontaudit $1 unlabeled_t:peer recv; dontaudit $1 unlabeled_t:udp_socket recvfrom; ') @@ -2426,6 +2430,7 @@ interface(`kernel_raw_recvfrom_unlabeled type unlabeled_t; ') + allow $1 unlabeled_t:peer recv; allow $1 unlabeled_t:rawip_socket recvfrom; ') @@ -2455,6 +2460,7 @@ interface(`kernel_dontaudit_raw_recvfrom type unlabeled_t; ') + dontaudit $1 unlabeled_t:peer recv; dontaudit $1 unlabeled_t:rawip_socket recvfrom; ') Index: refpolicy_svn_repo/policy/modules/kernel/kernel.te =================================================================== --- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.te +++ refpolicy_svn_repo/policy/modules/kernel/kernel.te @@ -212,6 +212,9 @@ allow kernel_t unlabeled_t:dir mounton; # connections with invalidated labels: allow kernel_t unlabeled_t:packet send; +# Forwarded traffic +allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; + corenet_all_recvfrom_unlabeled(kernel_t) corenet_all_recvfrom_netlabel(kernel_t) # Kernel-generated traffic e.g., ICMP replies: -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 4/4] REFPOL: Add new labeled networking permissions 2008-02-08 21:25 ` [PATCH 4/4] REFPOL: Add new labeled networking permissions paul.moore @ 2008-02-12 14:39 ` Christopher J. PeBenito 2008-02-14 3:54 ` Paul Moore 0 siblings, 1 reply; 15+ messages in thread From: Christopher J. PeBenito @ 2008-02-12 14:39 UTC (permalink / raw) To: paul.moore; +Cc: selinux On Fri, 2008-02-08 at 16:25 -0500, paul.moore@hp.com wrote: > plain text document attachment (refpol-peer_perms) > The 2.6.25 kernel will introduce a new set of labeled networking controls to > SELinux and this patch makes the necessary changes to the Reference Policy > to support unlabeled network traffic with the new controls. The corenetwork part is missing changes in the cornetwork.if.m4 file. Thats where the interfaces generated by a network_(node|interface)() are generated. I'm not so sure about the kernel interface changes. The docs probably should be revised, its more about using sockets whose types have been invalidated. It doesn't have anything to do with unlabeled networking. > A description of the new/improved labeled networking controls was posted to > the SELinux list back in early January 2008. > > * http://marc.info/?l=selinux&m=119991234501200&w=2 > > --- > policy/modules/kernel/corenetwork.if.in | 24 ++++++++++++------------ > policy/modules/kernel/kernel.if | 6 ++++++ > policy/modules/kernel/kernel.te | 3 +++ > 3 files changed, 21 insertions(+), 12 deletions(-) > > Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in > =================================================================== > --- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in > +++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in > @@ -154,7 +154,7 @@ interface(`corenet_tcp_sendrecv_generic_ > type netif_t; > ') > > - allow $1 netif_t:netif { tcp_send tcp_recv }; > + allow $1 netif_t:netif { tcp_send tcp_recv egress ingress }; > ') > > ######################################## > @@ -172,7 +172,7 @@ interface(`corenet_udp_send_generic_if', > type netif_t; > ') > > - allow $1 netif_t:netif udp_send; > + allow $1 netif_t:netif { udp_send egress }; > ') > > ######################################## > @@ -191,7 +191,7 @@ interface(`corenet_dontaudit_udp_send_ge > type netif_t; > ') > > - dontaudit $1 netif_t:netif udp_send; > + dontaudit $1 netif_t:netif { udp_send egress }; > ') > > ######################################## > @@ -209,7 +209,7 @@ interface(`corenet_udp_receive_generic_i > type netif_t; > ') > > - allow $1 netif_t:netif udp_recv; > + allow $1 netif_t:netif { udp_recv ingress }; > ') > > ######################################## > @@ -228,7 +228,7 @@ interface(`corenet_dontaudit_udp_receive > type netif_t; > ') > > - dontaudit $1 netif_t:netif udp_recv; > + dontaudit $1 netif_t:netif { udp_recv ingress }; > ') > > ######################################## > @@ -277,7 +277,7 @@ interface(`corenet_raw_send_generic_if', > type netif_t; > ') > > - allow $1 netif_t:netif rawip_send; > + allow $1 netif_t:netif { rawip_send egress }; > ') > > ######################################## > @@ -295,7 +295,7 @@ interface(`corenet_raw_receive_generic_i > type netif_t; > ') > > - allow $1 netif_t:netif rawip_recv; > + allow $1 netif_t:netif { rawip_recv ingress }; > ') > > ######################################## > @@ -448,7 +448,7 @@ interface(`corenet_tcp_sendrecv_generic_ > type node_t; > ') > > - allow $1 node_t:node { tcp_send tcp_recv }; > + allow $1 node_t:node { tcp_send tcp_recv sendto recvfrom }; > ') > > ######################################## > @@ -466,7 +466,7 @@ interface(`corenet_udp_send_generic_node > type node_t; > ') > > - allow $1 node_t:node udp_send; > + allow $1 node_t:node { udp_send sendto }; > ') > > ######################################## > @@ -484,7 +484,7 @@ interface(`corenet_udp_receive_generic_n > type node_t; > ') > > - allow $1 node_t:node udp_recv; > + allow $1 node_t:node { udp_recv recvfrom }; > ') > > ######################################## > @@ -517,7 +517,7 @@ interface(`corenet_raw_send_generic_node > type node_t; > ') > > - allow $1 node_t:node rawip_send; > + allow $1 node_t:node { rawip_send sendto }; > ') > > ######################################## > @@ -535,7 +535,7 @@ interface(`corenet_raw_receive_generic_n > type node_t; > ') > > - allow $1 node_t:node rawip_recv; > + allow $1 node_t:node { rawip_recv recvfrom }; > ') > > ######################################## > Index: refpolicy_svn_repo/policy/modules/kernel/kernel.if > =================================================================== > --- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.if > +++ refpolicy_svn_repo/policy/modules/kernel/kernel.if > @@ -2314,6 +2314,7 @@ interface(`kernel_tcp_recvfrom_unlabeled > type unlabeled_t; > ') > > + allow $1 unlabeled_t:peer recv; > allow $1 unlabeled_t:tcp_socket recvfrom; > ') > > @@ -2343,6 +2344,7 @@ interface(`kernel_dontaudit_tcp_recvfrom > type unlabeled_t; > ') > > + dontaudit $1 unlabeled_t:peer recv; > dontaudit $1 unlabeled_t:tcp_socket recvfrom; > ') > > @@ -2370,6 +2372,7 @@ interface(`kernel_udp_recvfrom_unlabeled > type unlabeled_t; > ') > > + allow $1 unlabeled_t:peer recv; > allow $1 unlabeled_t:udp_socket recvfrom; > ') > > @@ -2399,6 +2402,7 @@ interface(`kernel_dontaudit_udp_recvfrom > type unlabeled_t; > ') > > + dontaudit $1 unlabeled_t:peer recv; > dontaudit $1 unlabeled_t:udp_socket recvfrom; > ') > > @@ -2426,6 +2430,7 @@ interface(`kernel_raw_recvfrom_unlabeled > type unlabeled_t; > ') > > + allow $1 unlabeled_t:peer recv; > allow $1 unlabeled_t:rawip_socket recvfrom; > ') > > @@ -2455,6 +2460,7 @@ interface(`kernel_dontaudit_raw_recvfrom > type unlabeled_t; > ') > > + dontaudit $1 unlabeled_t:peer recv; > dontaudit $1 unlabeled_t:rawip_socket recvfrom; > ') > > Index: refpolicy_svn_repo/policy/modules/kernel/kernel.te > =================================================================== > --- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.te > +++ refpolicy_svn_repo/policy/modules/kernel/kernel.te > @@ -212,6 +212,9 @@ allow kernel_t unlabeled_t:dir mounton; > # connections with invalidated labels: > allow kernel_t unlabeled_t:packet send; > > +# Forwarded traffic > +allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; > + > corenet_all_recvfrom_unlabeled(kernel_t) > corenet_all_recvfrom_netlabel(kernel_t) > # Kernel-generated traffic e.g., ICMP replies: > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 4/4] REFPOL: Add new labeled networking permissions 2008-02-12 14:39 ` Christopher J. PeBenito @ 2008-02-14 3:54 ` Paul Moore 2008-02-14 14:36 ` Christopher J. PeBenito 0 siblings, 1 reply; 15+ messages in thread From: Paul Moore @ 2008-02-14 3:54 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: selinux On Tuesday 12 February 2008 9:39:59 am Christopher J. PeBenito wrote: > On Fri, 2008-02-08 at 16:25 -0500, paul.moore@hp.com wrote: > > plain text document attachment (refpol-peer_perms) > > The 2.6.25 kernel will introduce a new set of labeled networking controls > > to SELinux and this patch makes the necessary changes to the Reference > > Policy to support unlabeled network traffic with the new controls. > > The corenetwork part is missing changes in the cornetwork.if.m4 file. > Thats where the interfaces generated by a network_(node|interface)() are > generated. Okay, I'll look into fixing that part up. > I'm not so sure about the kernel interface changes. The docs probably > should be revised, its more about using sockets whose types have been > invalidated. It doesn't have anything to do with unlabeled networking. Hmmm, okay. Do you have a suggestion for how to add these new allow rules? A new interface? I would need to go check again, but these seemed to be the most logical of the existing interfaces when I made the change (and I suspect not much has changed in this area). > > A description of the new/improved labeled networking controls was posted > > to the SELinux list back in early January 2008. > > > > * http://marc.info/?l=selinux&m=119991234501200&w=2 > > > > --- > > policy/modules/kernel/corenetwork.if.in | 24 ++++++++++++------------ > > policy/modules/kernel/kernel.if | 6 ++++++ > > policy/modules/kernel/kernel.te | 3 +++ > > 3 files changed, 21 insertions(+), 12 deletions(-) > > > > Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in > > =================================================================== > > --- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in > > +++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in > > @@ -154,7 +154,7 @@ interface(`corenet_tcp_sendrecv_generic_ > > type netif_t; > > ') > > > > - allow $1 netif_t:netif { tcp_send tcp_recv }; > > + allow $1 netif_t:netif { tcp_send tcp_recv egress ingress }; > > ') > > > > ######################################## > > @@ -172,7 +172,7 @@ interface(`corenet_udp_send_generic_if', > > type netif_t; > > ') > > > > - allow $1 netif_t:netif udp_send; > > + allow $1 netif_t:netif { udp_send egress }; > > ') > > > > ######################################## > > @@ -191,7 +191,7 @@ interface(`corenet_dontaudit_udp_send_ge > > type netif_t; > > ') > > > > - dontaudit $1 netif_t:netif udp_send; > > + dontaudit $1 netif_t:netif { udp_send egress }; > > ') > > > > ######################################## > > @@ -209,7 +209,7 @@ interface(`corenet_udp_receive_generic_i > > type netif_t; > > ') > > > > - allow $1 netif_t:netif udp_recv; > > + allow $1 netif_t:netif { udp_recv ingress }; > > ') > > > > ######################################## > > @@ -228,7 +228,7 @@ interface(`corenet_dontaudit_udp_receive > > type netif_t; > > ') > > > > - dontaudit $1 netif_t:netif udp_recv; > > + dontaudit $1 netif_t:netif { udp_recv ingress }; > > ') > > > > ######################################## > > @@ -277,7 +277,7 @@ interface(`corenet_raw_send_generic_if', > > type netif_t; > > ') > > > > - allow $1 netif_t:netif rawip_send; > > + allow $1 netif_t:netif { rawip_send egress }; > > ') > > > > ######################################## > > @@ -295,7 +295,7 @@ interface(`corenet_raw_receive_generic_i > > type netif_t; > > ') > > > > - allow $1 netif_t:netif rawip_recv; > > + allow $1 netif_t:netif { rawip_recv ingress }; > > ') > > > > ######################################## > > @@ -448,7 +448,7 @@ interface(`corenet_tcp_sendrecv_generic_ > > type node_t; > > ') > > > > - allow $1 node_t:node { tcp_send tcp_recv }; > > + allow $1 node_t:node { tcp_send tcp_recv sendto recvfrom }; > > ') > > > > ######################################## > > @@ -466,7 +466,7 @@ interface(`corenet_udp_send_generic_node > > type node_t; > > ') > > > > - allow $1 node_t:node udp_send; > > + allow $1 node_t:node { udp_send sendto }; > > ') > > > > ######################################## > > @@ -484,7 +484,7 @@ interface(`corenet_udp_receive_generic_n > > type node_t; > > ') > > > > - allow $1 node_t:node udp_recv; > > + allow $1 node_t:node { udp_recv recvfrom }; > > ') > > > > ######################################## > > @@ -517,7 +517,7 @@ interface(`corenet_raw_send_generic_node > > type node_t; > > ') > > > > - allow $1 node_t:node rawip_send; > > + allow $1 node_t:node { rawip_send sendto }; > > ') > > > > ######################################## > > @@ -535,7 +535,7 @@ interface(`corenet_raw_receive_generic_n > > type node_t; > > ') > > > > - allow $1 node_t:node rawip_recv; > > + allow $1 node_t:node { rawip_recv recvfrom }; > > ') > > > > ######################################## > > Index: refpolicy_svn_repo/policy/modules/kernel/kernel.if > > =================================================================== > > --- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.if > > +++ refpolicy_svn_repo/policy/modules/kernel/kernel.if > > @@ -2314,6 +2314,7 @@ interface(`kernel_tcp_recvfrom_unlabeled > > type unlabeled_t; > > ') > > > > + allow $1 unlabeled_t:peer recv; > > allow $1 unlabeled_t:tcp_socket recvfrom; > > ') > > > > @@ -2343,6 +2344,7 @@ interface(`kernel_dontaudit_tcp_recvfrom > > type unlabeled_t; > > ') > > > > + dontaudit $1 unlabeled_t:peer recv; > > dontaudit $1 unlabeled_t:tcp_socket recvfrom; > > ') > > > > @@ -2370,6 +2372,7 @@ interface(`kernel_udp_recvfrom_unlabeled > > type unlabeled_t; > > ') > > > > + allow $1 unlabeled_t:peer recv; > > allow $1 unlabeled_t:udp_socket recvfrom; > > ') > > > > @@ -2399,6 +2402,7 @@ interface(`kernel_dontaudit_udp_recvfrom > > type unlabeled_t; > > ') > > > > + dontaudit $1 unlabeled_t:peer recv; > > dontaudit $1 unlabeled_t:udp_socket recvfrom; > > ') > > > > @@ -2426,6 +2430,7 @@ interface(`kernel_raw_recvfrom_unlabeled > > type unlabeled_t; > > ') > > > > + allow $1 unlabeled_t:peer recv; > > allow $1 unlabeled_t:rawip_socket recvfrom; > > ') > > > > @@ -2455,6 +2460,7 @@ interface(`kernel_dontaudit_raw_recvfrom > > type unlabeled_t; > > ') > > > > + dontaudit $1 unlabeled_t:peer recv; > > dontaudit $1 unlabeled_t:rawip_socket recvfrom; > > ') > > > > Index: refpolicy_svn_repo/policy/modules/kernel/kernel.te > > =================================================================== > > --- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.te > > +++ refpolicy_svn_repo/policy/modules/kernel/kernel.te > > @@ -212,6 +212,9 @@ allow kernel_t unlabeled_t:dir mounton; > > # connections with invalidated labels: > > allow kernel_t unlabeled_t:packet send; > > > > +# Forwarded traffic > > +allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; > > + > > corenet_all_recvfrom_unlabeled(kernel_t) > > corenet_all_recvfrom_netlabel(kernel_t) > > # Kernel-generated traffic e.g., ICMP replies: -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 4/4] REFPOL: Add new labeled networking permissions 2008-02-14 3:54 ` Paul Moore @ 2008-02-14 14:36 ` Christopher J. PeBenito 2008-02-14 15:26 ` Paul Moore 2008-02-19 17:12 ` Paul Moore 0 siblings, 2 replies; 15+ messages in thread From: Christopher J. PeBenito @ 2008-02-14 14:36 UTC (permalink / raw) To: Paul Moore; +Cc: selinux On Wed, 2008-02-13 at 22:54 -0500, Paul Moore wrote: > On Tuesday 12 February 2008 9:39:59 am Christopher J. PeBenito wrote: > > On Fri, 2008-02-08 at 16:25 -0500, paul.moore@hp.com wrote: > > > plain text document attachment (refpol-peer_perms) > > > The 2.6.25 kernel will introduce a new set of labeled networking controls > > > to SELinux and this patch makes the necessary changes to the Reference > > > Policy to support unlabeled network traffic with the new controls. > > > > The corenetwork part is missing changes in the cornetwork.if.m4 file. > > Thats where the interfaces generated by a network_(node|interface)() are > > generated. > > Okay, I'll look into fixing that part up. > > > I'm not so sure about the kernel interface changes. The docs probably > > should be revised, its more about using sockets whose types have been > > invalidated. It doesn't have anything to do with unlabeled networking. > > Hmmm, okay. Do you have a suggestion for how to add these new allow rules? A > new interface? I would need to go check again, but these seemed to be the > most logical of the existing interfaces when I made the change (and I suspect > not much has changed in this area). I'm thinking along the lines of new interfaces like kernel_recvfrom_unlabeled_peer(). -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 4/4] REFPOL: Add new labeled networking permissions 2008-02-14 14:36 ` Christopher J. PeBenito @ 2008-02-14 15:26 ` Paul Moore 2008-02-19 17:12 ` Paul Moore 1 sibling, 0 replies; 15+ messages in thread From: Paul Moore @ 2008-02-14 15:26 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: selinux On Thursday 14 February 2008 9:36:59 am Christopher J. PeBenito wrote: > On Wed, 2008-02-13 at 22:54 -0500, Paul Moore wrote: > > On Tuesday 12 February 2008 9:39:59 am Christopher J. PeBenito wrote: > > > On Fri, 2008-02-08 at 16:25 -0500, paul.moore@hp.com wrote: > > > > plain text document attachment (refpol-peer_perms) > > > > The 2.6.25 kernel will introduce a new set of labeled > > > > networking controls to SELinux and this patch makes the > > > > necessary changes to the Reference Policy to support unlabeled > > > > network traffic with the new controls. > > > > > > The corenetwork part is missing changes in the cornetwork.if.m4 > > > file. Thats where the interfaces generated by a > > > network_(node|interface)() are generated. > > > > Okay, I'll look into fixing that part up. > > > > > I'm not so sure about the kernel interface changes. The docs > > > probably should be revised, its more about using sockets whose > > > types have been invalidated. It doesn't have anything to do with > > > unlabeled networking. > > > > Hmmm, okay. Do you have a suggestion for how to add these new > > allow rules? A new interface? I would need to go check again, but > > these seemed to be the most logical of the existing interfaces when > > I made the change (and I suspect not much has changed in this > > area). > > I'm thinking along the lines of new interfaces like > kernel_recvfrom_unlabeled_peer(). Okay, I'll see what I can do. -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 4/4] REFPOL: Add new labeled networking permissions 2008-02-14 14:36 ` Christopher J. PeBenito 2008-02-14 15:26 ` Paul Moore @ 2008-02-19 17:12 ` Paul Moore 2008-02-19 18:07 ` Christopher J. PeBenito 1 sibling, 1 reply; 15+ messages in thread From: Paul Moore @ 2008-02-19 17:12 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: selinux On Thursday 14 February 2008 9:36:59 am Christopher J. PeBenito wrote: > On Wed, 2008-02-13 at 22:54 -0500, Paul Moore wrote: > > On Tuesday 12 February 2008 9:39:59 am Christopher J. PeBenito wrote: > > > On Fri, 2008-02-08 at 16:25 -0500, paul.moore@hp.com wrote: > > > > plain text document attachment (refpol-peer_perms) > > > > The 2.6.25 kernel will introduce a new set of labeled > > > > networking controls to SELinux and this patch makes the > > > > necessary changes to the Reference Policy to support unlabeled > > > > network traffic with the new controls. > > > > > > The corenetwork part is missing changes in the cornetwork.if.m4 > > > file. Thats where the interfaces generated by a > > > network_(node|interface)() are generated. > > > > Okay, I'll look into fixing that part up. > > > > > I'm not so sure about the kernel interface changes. The docs > > > probably should be revised, its more about using sockets whose > > > types have been invalidated. It doesn't have anything to do with > > > unlabeled networking. > > > > Hmmm, okay. Do you have a suggestion for how to add these new > > allow rules? A new interface? I would need to go check again, but > > these seemed to be the most logical of the existing interfaces when > > I made the change (and I suspect not much has changed in this > > area). > > I'm thinking along the lines of new interfaces like > kernel_recvfrom_unlabeled_peer(). Before I go ahead an make all of the changes to the other modules, are the two interfaces below what you had in mind? **** from kernel.if ######################################## ## <summary> ## Receive packets from an unlabeled peer. ## </summary> ## <desc> ## <p> ## Receive packets from an unlabeled peer, ## these packets do not have any peer labeling ## information present. ## </p> ## <p> ## The corenetwork interface ## corenet_recvfrom_unlabeled_peer() should ## be used instead of this one. ## </p> ## </desc> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`kernel_recvfrom_unlabeled_peer',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:peer recv; ') **** from corenetwork.if.in ######################################## ## <summary> ## Receive packets from an unlabeled peer. ## </summary> ## <desc> ## <p> ## Receive packets from an unlabeled peer, ## these packets do not have any peer labeling ## information present. ## </p> ## </desc> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`corenet_recvfrom_unlabeled_peer',` kernel_recvfrom_unlabeled_peer($1) ') -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 4/4] REFPOL: Add new labeled networking permissions 2008-02-19 17:12 ` Paul Moore @ 2008-02-19 18:07 ` Christopher J. PeBenito 0 siblings, 0 replies; 15+ messages in thread From: Christopher J. PeBenito @ 2008-02-19 18:07 UTC (permalink / raw) To: Paul Moore; +Cc: selinux On Tue, 2008-02-19 at 12:12 -0500, Paul Moore wrote: > On Thursday 14 February 2008 9:36:59 am Christopher J. PeBenito wrote: > > On Wed, 2008-02-13 at 22:54 -0500, Paul Moore wrote: > > > On Tuesday 12 February 2008 9:39:59 am Christopher J. PeBenito > wrote: > > > > On Fri, 2008-02-08 at 16:25 -0500, paul.moore@hp.com wrote: > > > > > plain text document attachment (refpol-peer_perms) > > > > > The 2.6.25 kernel will introduce a new set of labeled > > > > > networking controls to SELinux and this patch makes the > > > > > necessary changes to the Reference Policy to support unlabeled > > > > > network traffic with the new controls. [...] > > > > I'm not so sure about the kernel interface changes. The docs > > > > probably should be revised, its more about using sockets whose > > > > types have been invalidated. It doesn't have anything to do with > > > > unlabeled networking. > > > > > > Hmmm, okay. Do you have a suggestion for how to add these new > > > allow rules? A new interface? I would need to go check again, but > > > these seemed to be the most logical of the existing interfaces when > > > I made the change (and I suspect not much has changed in this > > > area). > > > > I'm thinking along the lines of new interfaces like > > kernel_recvfrom_unlabeled_peer(). > > Before I go ahead an make all of the changes to the other modules, are > the two interfaces below what you had in mind? Yes. > **** from kernel.if > ######################################## > ## <summary> > ## Receive packets from an unlabeled peer. > ## </summary> > ## <desc> > ## <p> > ## Receive packets from an unlabeled peer, > ## these packets do not have any peer labeling > ## information present. > ## </p> > ## <p> > ## The corenetwork interface > ## corenet_recvfrom_unlabeled_peer() should > ## be used instead of this one. > ## </p> > ## </desc> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`kernel_recvfrom_unlabeled_peer',` > gen_require(` > type unlabeled_t; > ') > > allow $1 unlabeled_t:peer recv; > ') > > **** from corenetwork.if.in > ######################################## > ## <summary> > ## Receive packets from an unlabeled peer. > ## </summary> > ## <desc> > ## <p> > ## Receive packets from an unlabeled peer, > ## these packets do not have any peer labeling > ## information present. > ## </p> > ## </desc> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`corenet_recvfrom_unlabeled_peer',` > kernel_recvfrom_unlabeled_peer($1) > ') > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2008-02-19 18:09 UTC | newest] Thread overview: 15+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-02-08 21:25 [PATCH 0/4] Reference Policy patches for the new labeled networking code in 2.6.25 paul.moore 2008-02-08 21:25 ` [PATCH 1/4] REFPOL: Add "rogue" Fedora packet class permissions paul.moore 2008-02-12 14:35 ` Christopher J. PeBenito 2008-02-08 21:25 ` [PATCH 2/4] REFPOL: Add forwarding permissions to the packet object class paul.moore 2008-02-12 14:36 ` Christopher J. PeBenito 2008-02-08 21:25 ` [PATCH 3/4] REFPOL: Remove the unlabeled_t SECMARK policy in kernel_sendrecv_unlabeled_association paul.moore 2008-02-12 14:37 ` Christopher J. PeBenito 2008-02-14 3:50 ` Paul Moore 2008-02-08 21:25 ` [PATCH 4/4] REFPOL: Add new labeled networking permissions paul.moore 2008-02-12 14:39 ` Christopher J. PeBenito 2008-02-14 3:54 ` Paul Moore 2008-02-14 14:36 ` Christopher J. PeBenito 2008-02-14 15:26 ` Paul Moore 2008-02-19 17:12 ` Paul Moore 2008-02-19 18:07 ` Christopher J. PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.