From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Joshua Brindle <jbrindle@tresys.com>,
Karl MacMillan <kmacmillan@mentalrootkit.com>,
SE Linux <selinux@tycho.nsa.gov>
Subject: Re: ipsec, netlabels, secmark- How about a little usability?
Date: Fri, 15 Sep 2006 11:36:53 -0400 [thread overview]
Message-ID: <450AC895.3060905@redhat.com> (raw)
In-Reply-To: <1158245034.25629.65.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
> On Thu, 2006-09-14 at 09:50 -0400, Joshua Brindle wrote:
>
>>> 1. By default httpd has to be able to talk to itself in order to do
>>> gracefull shutdown,
>>> service httpd graceful.
>>>
>>> So I end up adding a rule allowing httpd to name_connect to the
>>> httpd_port_t. But I really only want to allow this for localhost.
>>> IE I don't want to allow my httpd to name_connect to other machines
>>> httpd ports? I can't do this now.
>>>
>>>
>> you can with secmark can't you?
>> iptables -I -p tcp -d localhost -s localhost -i lo --dport 80 -j SECMARK
>> --selctx system_u:object_r:httpd_client_packet_t
>>
>
> IIUC, the mechanism is there, but the necessary integration is not. How
> do we intend to manage local secmark rules, via semanage as with
> port/node/netif contexts or via iptables? How does one express this
> kind of goal in refpolicy itself, going beyond just the support for auto
> generation of dport-based rules? Where do we stand on iptables
> integration?
>
>
I still think this is not fully thought out. We have a lot of booleans
that this stuff will blow out of the water. setsebool -A
allow_ypbind=1 for example, httpd_can_connect_any ... Are these
things going to have to replace iptables rules when they get set? I
find the hole thing unmanagable and I think we are going to see
performance problems when we start adding hundreds (thousands) of rules
to iptables.
I believe we need an integrated solution that can setup full networking
support, in which I state that
Domain X on Host Y can talk to Domain A on Host B. This needs to be
able to setup the proper network requirements to make this happen. If
this is a combination of secmark rules, and netlabel/ipsec that is
fine. But I don't expect many admins in to be able to set this up on
their own.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2006-09-15 15:36 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-14 12:52 ipsec, netlabels, secmark- How about a little usability? Daniel J Walsh
2006-09-14 13:50 ` Joshua Brindle
2006-09-14 13:55 ` Joshua Brindle
2006-09-14 14:43 ` Stephen Smalley
2006-09-15 15:36 ` Daniel J Walsh [this message]
2006-09-14 16:02 ` James Antill
2006-09-14 16:49 ` Stephen Smalley
2006-09-14 17:24 ` James Antill
2006-09-14 19:45 ` Stephen Smalley
2006-09-19 20:13 ` Karl MacMillan
2006-09-19 20:35 ` Christopher J. PeBenito
2006-09-19 21:12 ` Karl MacMillan
2006-09-19 20:47 ` Karl MacMillan
2006-09-20 13:30 ` Christopher J. PeBenito
2006-09-20 13:45 ` James Morris
2006-09-20 14:27 ` Christopher J. PeBenito
2006-09-20 14:45 ` James Morris
-- strict thread matches above, loose matches on Subject: below --
2006-09-14 14:52 Stuart James
2006-09-14 22:52 Venkat Yekkirala
2006-09-15 9:00 ` Stuart James
2006-09-19 21:19 Venkat Yekkirala
2006-09-20 1:35 ` Joshua Brindle
2006-09-20 13:02 Venkat Yekkirala
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=450AC895.3060905@redhat.com \
--to=dwalsh@redhat.com \
--cc=jbrindle@tresys.com \
--cc=kmacmillan@mentalrootkit.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.