Network security contexts

Network security contexts

[Carlos Anísio Monteiro]

Hi.

How can I verified if the network entities are setting to the proper 
security contexts ? What can I command use ?
The security contexts to the network entities are setting in the 
net_contexts file.

Thanks.

-- 
Carlos Anisio Monteiro  <monteiro@ipen.br>
IPEN/CNEN-SP
Sao Paulo - Brasil



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Network security contexts

[Stephen Smalley]

On Wed, 2003-11-26 at 07:33, Carlos Anísio Monteiro wrote:
> Hi.
> 
> How can I verified if the network entities are setting to the proper 
> security contexts ? What can I command use ?
> The security contexts to the network entities are setting in the 
> net_contexts file.

As noted in the selinux-doc README, the SELinux network access controls
were temporarily removed when SELinux was reworked for mainline 2.6
because the implementation depended on a set of security fields and
hooks that were not accepted into mainline 2.6.  James Morris has begun
reimplementing these controls.  If you want to experiment with them, you
will need to use a very recent snapshot of our kernel patch.  I'll post
our current 2.6.0-test10-selinux1 patch in a separate message.  Also, we
have begun to submit our patches for inclusion in Arjan's 2.6 kernel
RPMS as a holding place until we can get them upstreamed post 2.6.0, so
you can use his kernel RPMs if you like (under
http://people.redhat.com/arjanv/2.5).

There is no command to show the context of a network entity.  But (with
very recent snapshot of the kernel patch) you can see the effect by
enabling auditing of the corresponding permissions, e.g.
	auditallow domain netif_type:netif *;
	auditallow domain node_type:node *;

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch] 2.6.0-test10-selinux1 (Was: Re: Network security contexts)

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 608 bytes --]

The first attached patch against 2.6.0-test10 includes our current set
of changes to the SELinux module.  In addition to the previously posted
changes (reducing the capability check for KDSKBENT/SENT, eliminating
global.h, adding new inheritance controls), this patch also includes a
reimplementation of some of the SELinux network access controls by James
Morris.  

The second attached patch updates the policy access vector definitions,
some macros, and part of the network-related configuration to reflect
changes in the implementation.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency

[-- Attachment #2: 2.6.0-test10-selinux1.patch.gz --]
[-- Type: application/x-gzip, Size: 8299 bytes --]

[-- Attachment #3: policy.patch.gz --]
[-- Type: application/x-gzip, Size: 1752 bytes --]