From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from zombie.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id m1JHaRZt007025 for ; Tue, 19 Feb 2008 12:36:27 -0500 Received: from g1t0026.austin.hp.com (jazzdrum.ncsc.mil [144.51.5.7]) by zombie.ncsc.mil (8.12.10/8.12.10) with ESMTP id m1JHaQsW016369 for ; Tue, 19 Feb 2008 17:36:26 GMT From: Paul Moore To: "Christopher J. PeBenito" Subject: Re: [PATCH 4/4] REFPOL: Add new labeled networking permissions Date: Tue, 19 Feb 2008 12:12:45 -0500 Cc: selinux@tycho.nsa.gov References: <20080208212534.491651808@hp.com> <200802132254.14625.paul.moore@hp.com> <1202999824.30706.34.camel@gorn> In-Reply-To: <1202999824.30706.34.camel@gorn> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Message-Id: <200802191212.45302.paul.moore@hp.com> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Thursday 14 February 2008 9:36:59 am Christopher J. PeBenito wrote: > On Wed, 2008-02-13 at 22:54 -0500, Paul Moore wrote: > > On Tuesday 12 February 2008 9:39:59 am Christopher J. PeBenito wrote: > > > On Fri, 2008-02-08 at 16:25 -0500, paul.moore@hp.com wrote: > > > > plain text document attachment (refpol-peer_perms) > > > > The 2.6.25 kernel will introduce a new set of labeled > > > > networking controls to SELinux and this patch makes the > > > > necessary changes to the Reference Policy to support unlabeled > > > > network traffic with the new controls. > > > > > > The corenetwork part is missing changes in the cornetwork.if.m4 > > > file. Thats where the interfaces generated by a > > > network_(node|interface)() are generated. > > > > Okay, I'll look into fixing that part up. > > > > > I'm not so sure about the kernel interface changes. The docs > > > probably should be revised, its more about using sockets whose > > > types have been invalidated. It doesn't have anything to do with > > > unlabeled networking. > > > > Hmmm, okay. Do you have a suggestion for how to add these new > > allow rules? A new interface? I would need to go check again, but > > these seemed to be the most logical of the existing interfaces when > > I made the change (and I suspect not much has changed in this > > area). > > I'm thinking along the lines of new interfaces like > kernel_recvfrom_unlabeled_peer(). Before I go ahead an make all of the changes to the other modules, are the two interfaces below what you had in mind? **** from kernel.if ######################################## ## ## Receive packets from an unlabeled peer. ## ## ##

## Receive packets from an unlabeled peer, ## these packets do not have any peer labeling ## information present. ##

##

## The corenetwork interface ## corenet_recvfrom_unlabeled_peer() should ## be used instead of this one. ##

## ## ## ## Domain allowed access. ## ## # interface(`kernel_recvfrom_unlabeled_peer',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:peer recv; ') **** from corenetwork.if.in ######################################## ## ## Receive packets from an unlabeled peer. ## ## ##

## Receive packets from an unlabeled peer, ## these packets do not have any peer labeling ## information present. ##

## ## ## ## Domain allowed access. ## ## # interface(`corenet_recvfrom_unlabeled_peer',` kernel_recvfrom_unlabeled_peer($1) ') -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.