net_contexts

net_contexts

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 808 bytes --]

I've attached my latest net_contexts file which ifdef's around all the port 
bindings.  I've moved the definitions for the port_type objects to the *.te 
files, so now if you remove a .te file then the policy compiled with that 
change will also not have any special settings for the TCP/UDP ports 
associated with that program.

In the case of port 8080 I used an ugly pair of ifdef's for squid and apache.

For the other files in my current sample policy see 
http://www.coker.com.au/selinux/policy.tgz

-- 
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.

[-- Attachment #2: net_contexts --]
[-- Type: text/plain, Size: 1822 bytes --]

# FLASK

#
# Security contexts for network entities
# If no context is specified, then a default initial SID is used.
#

#
# Port numbers (default = initial SID 'port')
# 
# protocol number context
# protocol low-high context
#
ifdef(`ftpd.te', `tcp 21 system_u:object_r:ftp_port_t')
ifdef(`inetd.te', `tcp 23 system_u:object_r:telnet_port_t')
ifdef(`sendmail.te', `tcp 25 system_u:object_r:smtp_port_t')
ifdef(`apache.te', `tcp 80  system_u:object_r:http_port_t')
ifdef(`rlogind.te', `tcp 513 system_u:object_r:rlogin_port_t')
ifdef(`rshd', `tcp 514 system_u:object_r:rsh_port_t')
ifdef(`lpd.te', `tcp 515 system_u:object_r:printer_port_t')
ifdef(`cups.te', `tcp 631 system_u:object_r:ipp_port_t')
ifdef(`apache.te', `tcp 8080  system_u:object_r:http_cache_port_t',
`ifdef(`squid.te', `tcp 8080  system_u:object_r:http_cache_port_t')')
ifdef(`named.te', `udp 53 system_u:object_r:named_port_t')
ifdef(`radius.te', `udp 1645 system_u:object_r:radius_port_t
udp 1646 system_u:object_r:radacct_port_t
udp 1812 system_u:object_r:radius_port_t
udp 1813 system_u:object_r:radacct_port_t')
ifdef(`', `tcp 2628 system_u:object_r:dict_port_t')


# Network interfaces (default = initial SID 'netif' and 'netmsg')
#
# interface netif_context default_msg_context
#
lo system_u:object_r:netif_lo_t system_u:object_r:netmsg_lo_t
eth0 system_u:object_r:netif_eth0_t system_u:object_r:netmsg_eth0_t
eth1 system_u:object_r:netif_eth1_t system_u:object_r:netmsg_eth1_t


# Nodes (default = initial SID 'node')
#
# address mask context
#
# The first matching entry is used.
#
127.0.0.1 255.255.255.255 system_u:object_r:node_lo_t

# NFS servers (default = initial SID 'nfs')
#
# address mask fs_context file_context
# 
# The first matching entry is used.
#
10.33.1.2 255.255.255.255 system_u:object_r:nfs_t system_u:object_r:nfs_t

# FLASK

net_contexts

[Alexis Wagner]

Hi,

 From what I have understood, every configuration files are concatenated 
when we compiled the policy.

So, if for some reasons, i want to define net_contexts related elements 
in another file, will it be ok ?

Thank you,

Alexis Wagner




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: net_contexts

[Russell Coker]

On Mon, 9 Aug 2004 10:48, Alexis Wagner <venon@fugusec.net> wrote:
>  From what I have understood, every configuration files are concatenated
> when we compiled the policy.

Yes.

> So, if for some reasons, i want to define net_contexts related elements
> in another file, will it be ok ?

No.  Some parts of the file are order sensitive, net_contexts is one of them.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: net_contexts

[Park Lee]

[-- Attachment #1: Type: text/plain, Size: 296 bytes --]

Mon, 9 Aug 2004 18:09.  Russell Coker wrote:
 
>Some parts of the file are order sensitive, net_contexts is one of them.
 
Then, would you please tell us what others are?
Thanks.
 
Park Lee
 

		
---------------------------------
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.

[-- Attachment #2: Type: text/html, Size: 526 bytes --]

Re: net_contexts

[Stephen Smalley]

On Thu, 2004-08-12 at 12:49, Park Lee wrote:
> Mon, 9 Aug 2004 18:09.  Russell Coker wrote:
>  
> >Some parts of the file are order sensitive, net_contexts is one of
> them.
>  
> Then, would you please tell us what others are?

The language grammar is defined in checkpolicy/policy_parse.y, and
documented in the Configuring the SELinux Policy report (although it is
not entirely up to date).  It doesn't allow for mixing other elements of
the language (like context specifications) with the TE and RBAC
statements.  Note that the context specifications come after all
components of a context have been defined (i.e. all types, roles, and
users have been declared).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.