* NetLabel base SID
@ 2006-09-20 15:03 Paul Moore
2006-09-20 20:56 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Paul Moore @ 2006-09-20 15:03 UTC (permalink / raw)
To: Stephen Smalley, James Morris, SELinux; +Cc: Venkat Yekkirala
As discussed earlier I am going to be submitting a patch which converts
the NetLabel receive permission from "recv_msg" to "recvfrom". I've
also been thinking about a discussion I've had with Venkat about what to
use as the NetLabel "base" SID in this particular case (this is ignoring
the secid reconciliation work right now as I think we need to have a
good solution in place until the secid work is completed).
Currently NetLabel uses the socket's SID which is convienient but may
make it difficult to distinguish NetLabel traffic in policy. Venkat
suggested using the SECINITSID_UNLABELED as a base but I don't like that
approach because of the unlabeled connotation. I believe Stephen
suggested at some point using SECINITSID_NETMSG as the base (Stephen, my
apologies for not doing this sooner, I didn't fully understand at the
time) - any objections?
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: NetLabel base SID
2006-09-20 15:03 NetLabel base SID Paul Moore
@ 2006-09-20 20:56 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2006-09-20 20:56 UTC (permalink / raw)
To: Paul Moore; +Cc: James Morris, SELinux, Venkat Yekkirala
On Wed, 2006-09-20 at 11:03 -0400, Paul Moore wrote:
> As discussed earlier I am going to be submitting a patch which converts
> the NetLabel receive permission from "recv_msg" to "recvfrom". I've
> also been thinking about a discussion I've had with Venkat about what to
> use as the NetLabel "base" SID in this particular case (this is ignoring
> the secid reconciliation work right now as I think we need to have a
> good solution in place until the secid work is completed).
>
> Currently NetLabel uses the socket's SID which is convienient but may
> make it difficult to distinguish NetLabel traffic in policy. Venkat
> suggested using the SECINITSID_UNLABELED as a base but I don't like that
> approach because of the unlabeled connotation. I believe Stephen
> suggested at some point using SECINITSID_NETMSG as the base (Stephen, my
> apologies for not doing this sooner, I didn't fully understand at the
> time) - any objections?
Fine with me.
Note that the kernel will ignore changes to initial SID contexts upon a
policy reload, so that change in policy won't take affect anyway until
the kernel is rebooted.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-09-20 20:56 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-09-20 15:03 NetLabel base SID Paul Moore
2006-09-20 20:56 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.