Re: [PATCH RFC 0/2] stricter MLS policy constraints

[Paul Moore <paul.moore@hp.com>]

Klaus Weidner wrote:
> On Wed, Dec 13, 2006 at 03:50:59PM -0500, Paul Moore wrote:
> 
>>The bad news is that I realized we never added NetLabel receive permissions to
>>any of the application domains (try to telnet into a machine with NetLabel);
>>only the user domains have the NetLabel receive permissions.  As a result I
>>wasn't able to try any more elaborate tests without fixing the policy.  It will
>>probably take a little while to get a patch out to address this as there are a
>>lot of domains which need to be changed; that said I'm probably about a third of
>>the way through at this point.
>>
>>In case anyone is interested, the policy changes boil down to the following:
>>
>> ifdef(`enable_mls',`
>>        corenet_tcp_recv_netlabel(app_domain_t)
>>        corenet_udp_recv_netlabel(app_domain_t)
>> ')
> 
> 
> Have you considered adding those lines to the existing interfaces in
> policy/modules/kernel/corenetwork.if.in instead? For example, telnetd
> currently uses corenet_tcp_sendrecv_all_if(telnetd_t), and you could make
> that interface provide the needed netlabel rights also.

I did consider doing something similar but I figured sticking with the existing
refpolicy convention was the going to be the path of least resistance and in the
"userdom_basic_networking_template" code the corenet_* NetLabel permissions are
kept separate from the rest of the corenet_* permissions.  It makes more sense
conceptually too I think.

I added Chris to the CC line as he might be able to provide some thoughts on
what he would like to see.

> Do we need something equivalent for labeled IPSEC?

I would think so, but I believe Joy said she is working on that; however, the
policy for NetLabel and labeled IPsec is radically different so labeled IPsec
may have a different approach.

With NetLabel you only need a single allow rule for each domain wishing to
receive labeled network traffic:

 allow my_domain_t unlabeled_t:{ tcp_socket udp_socket } recvfrom;

With labeled IPsec it's a bit more involved.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.