From: Karl MacMillan <kmacmillan@mentalrootkit.com>
To: casey@schaufler-ca.com
Cc: "Christopher J. PeBenito" <cpebenito@tresys.com>,
Joshua Brindle <jbrindle@tresys.com>,
SELinux Mail List <selinux@tycho.nsa.gov>
Subject: Re: [PATCH 0/6] netfilter integration
Date: Thu, 27 Jul 2006 12:10:40 -0400 [thread overview]
Message-ID: <44C8E580.2090105@mentalrootkit.com> (raw)
In-Reply-To: <20060727154701.12183.qmail@web36606.mail.mud.yahoo.com>
Casey Schaufler wrote:
> --- "Christopher J. PeBenito" <cpebenito@tresys.com>
> wrote:
>
>
>
>>> Now, as far as inter-module priorities go,
>>> numbers just don't make sense.
>>>
>> So after further discussion internally, we were
>> thinking that there
>> likely not going to be intermodule dependencies.
>>
>
> I don't believe that for a minute.
>
>
The current policies suggest otherwise - use the new semodule_deps tool
if you don't believe me.
>> Oracle netfilter
>> contexts aren't going to conflict with apache's.
>> Modules are going to
>> want to override the contexts in the base module.
>>
>
> Oracle may not conflict with apache, but what
> about MySQL or, heaven forbid, earlier versions
> of Oracle? You can bet on independent developers
> in the same problem space developing conflicting
> protection schemes.
>
>
Local overrides allow an administrator choose when there are conflicts.
What's the alternative?
>> So we were thinking that we should do something
>> similar to how other
>> parts of the policy are manged, with having base
>> rules, module rules,
>> local rules, pre, and post rules. The pre and post
>> rules would be
>> special rules that have to come at the beginning or
>> end of the
>> netfilter_contexts file (see the 1's and 9's in my
>> original 0/6 email).
>> Then base would be low priority, module would be
>> middle priority, and
>> local would be high priority. Modules that are
>> packaged with an app
>> should have the module priority.
>>
>
> There will be conflicts. You need a scheme
> for dealing with two modules at the same
> "priority" with different rules.
>
>
One set of rules will win based on ordering. Unfortunately there is no
good way for the toolchain to make a choice here and allowing the
administrator to override both modules seems like the best alternative
to me.
Karl
>
>
> Casey Schaufler
> casey@schaufler-ca.com
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2006-07-27 16:10 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-17 20:32 [PATCH 0/6] netfilter integration Christopher J. PeBenito
2006-07-17 22:34 ` Casey Schaufler
2006-07-18 0:18 ` Joshua Brindle
2006-07-18 4:03 ` Casey Schaufler
2006-07-18 15:00 ` Karl MacMillan
2006-07-25 15:36 ` Christopher J. PeBenito
2006-07-25 19:02 ` Casey Schaufler
2006-07-26 14:23 ` Christopher J. PeBenito
2006-07-26 20:43 ` Karl MacMillan
2006-07-27 15:47 ` Casey Schaufler
2006-07-27 16:10 ` Karl MacMillan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44C8E580.2090105@mentalrootkit.com \
--to=kmacmillan@mentalrootkit.com \
--cc=casey@schaufler-ca.com \
--cc=cpebenito@tresys.com \
--cc=jbrindle@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.