From: Paul Moore <paul.moore@hp.com>
To: Chris Kuester <c.kuester@tarent.de>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
selinux@tycho.nsa.gov, James Morris <jmorris@namei.org>,
Eric Paris <eparis@parisplace.org>
Subject: Re: Conditional Access to Network Resources
Date: Tue, 21 Oct 2008 10:03:26 -0400 [thread overview]
Message-ID: <200810211003.26754.paul.moore@hp.com> (raw)
In-Reply-To: <1224590583.15821.2.camel@moss-spartans.epoch.ncsc.mil>
On Tuesday 21 October 2008 8:03:03 am Stephen Smalley wrote:
> On Tue, 2008-10-21 at 11:25 +0200, Chris Kuester wrote:
> > Hi List,
> >
> > I'm facing the following problem:
> >
> > I want to allow my domain to access certain ports on the local
> > interface and certain ports on a nonlocal interface.
> > Example:
> > Domain may connect to port 25 over eth0
> > Domain may connect to port 4242 only on the loopback interface.
> >
> > But if I allow my domain to access port 25 over eth0 it can also
> > access port 25 on the local interface because I have to allow full
> > access to both, local and remote nodes and sending traffic over
> > both network interfaces.
> >
> > I think I need to have some kind of condition, or do I
> > missunderstand something here?
> >
> > Constraint: Switching to SECMARKing instead of the "old" network
> > confinement code is not an option at the moment. :(
>
> Offhand, I think that is your only option if you want to express
> combinations of restrictions like this - this is precisely why
> SECMARK was created.
I agree with Stephen, with the combinations you describe I don't believe
it would be possible to do what you want using the old/compat_net
controls. Can you explain in more detail what your overall network
security goals are for your domain/application? We might be able to
help solve the problem another way ...
Also, if you don't mind, can I ask why SECMARK is not an option? I
expect that the older controls will be marked as deprecated in the near
future with the goal of removal some time after that. Understanding
why SECMARK is not an option is important so we can make a smooth
transition.
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2008-10-21 14:03 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-21 9:25 Conditional Access to Network Resources Chris Kuester
2008-10-21 11:04 ` Dominick Grift
2008-10-21 12:03 ` Stephen Smalley
2008-10-21 14:03 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200810211003.26754.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=c.kuester@tarent.de \
--cc=eparis@parisplace.org \
--cc=jmorris@namei.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.