From: paul.moore@hp.com (Paul Moore)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [RFC PATCH v1] network: Enable "network_peer_controls" and fix some remaining issues
Date: Mon, 8 Dec 2008 15:41:08 -0500 [thread overview]
Message-ID: <200812081541.08269.paul.moore@hp.com> (raw)
In-Reply-To: <20081208195409.080889391@flek.lan>
On Monday 08 December 2008 2:53:59 pm paul.moore at hp.com wrote:
> We added the network_peer_controls capability back in Linux Kernel
> 2.6.25 but didn't activate the capabilitiy because more work needed
> to be done to ensure a smooth transition to the new controls. This
> patch enables the network_peer_controls capability and fixes a few
> remaining issues. With this patch applied to the current Fedora
> Rawhide SELinux policy
> (selinux-policy-3.6.1-4.fc11) I am able to interact with the machine
> over the network without any new AVC denials.
>
> Signed-off-by: Paul Moore <paul.moore@hp.com>
> ---
> policy/modules/kernel/corenetwork.if.in | 120
> ++++++++++++++++++++++++++++++++ policy/modules/kernel/kernel.te
> | 4 -
> policy/policy_capabilities | 2
> 3 files changed, 124 insertions(+), 2 deletions(-)
>
> Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
> ===================================================================
> --- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in
> +++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
> @@ -140,6 +140,66 @@ interface(`corenet_server_packet',`
>
> ########################################
> ## <summary>
> +## Allow outgoing network traffic on the generic interfaces.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The peer label of the outgoing network traffic.
> +## </summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_out_generic_if',`
> + gen_require(`
> + type netif_t;
> + ')
> +
> + allow $1 netif_t:netif { egress };
> +
> + # XXX - legacy support
> + allow $1 netif_t:netif { tcp_send udp_send rawip_send };
> +')
I wanted to ask everyone's opinion on replacing the protocol specific
corenet_*_if() macros with the more generic versions in this patch.
I'm not convinced that distinguishing between protocols, i.e. UDP vs
TCP, is all that useful in a general sense and only adds complexity to
the policy. If people really wanted separation between protocols they
could always accomplish that with Secmark ... Thoughts?
--
paul moore
linux @ hp
prev parent reply other threads:[~2008-12-08 20:41 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-08 19:53 [refpolicy] [RFC PATCH v1] network: Enable "network_peer_controls" and fix some remaining issues paul.moore at hp.com
2008-12-08 20:37 ` Paul Moore
2008-12-08 20:41 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200812081541.08269.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.