From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: Stephen Smalley <sds@tycho.nsa.gov>, paul.moore@hp.com
Cc: KaiGai Kohei <kaigai@kaigai.gr.jp>, Joe Nall <joe@nall.com>,
SELinux Mail List <selinux@tycho.nsa.gov>,
ewalsh@tycho.nsa.gov
Subject: Re: generic fallbacks of getpeercon (Re: [redhat-lspp] Labeling an interface)
Date: Wed, 06 Jun 2007 12:12:13 +0900 [thread overview]
Message-ID: <4666260D.9060409@ak.jp.nec.com> (raw)
In-Reply-To: <1180966620.14220.57.camel@moss-spartans.epoch.ncsc.mil>
>> How do you think necessity for generic fall back behavior in the case when
>> getpeercon() failed?
>
> I think it would be useful. There was some discussion of it during the
> labeled networking discussions, but directly returning the secmark label
> or the netif/netmsg labels was viewed as problematic because they aren't
> peer/process contexts.
I agree the conclusion. Those labels don't represent domain's one.
But I think that using them an entrypoint of domain transition is
a considerable idea, like this:
type_transition postgresql_t untrusted_network_t : packet sepgsql_client_t;
type_transition ftpd_t untrusted_network_t : packet ftpd_client_t;
Is it different from Paul's idea, isn't it?
In my understanding, he intends to associate a domain's context directly with
network interfaces and/or network addresses.
If corrent, I have a question.
Is it possible to distinguish the fallback context for each server domain?
For example, when we want to label clients connected from unlabeled network
as 'sepgsql_unlabeled_client_t', how does the other server handle them?
>> The current version of SE-PostgreSQL adopts the simplest way to handle
>> a connection from a client without any network labeling. Its connection
>> will be closed soon.
>
> X has a more graceful fallback, per Eamon - it defines a
> nonlocal_context in its own config and uses that as the default if
> getpeercon fails.
It is possible to implement similar fallbacks in SE-PostgreSQL, of course.
But we should obtain fallback context sourced from security policy, if possible.
>> How is it implemented and described in the policy?
>> - Is it possible to use the security context of netif/address/port of inbound
>> connection as an entrypoint of domain transition?
>> Those may be configurable with SECMARK.
>
> You can already define a netif (and a netmsg) context in policy and
> manipulate them via semanage_iface(3) in userland. We don't presently
> have a way to convey the netif or netmsg context (or secmark label) to
> userland from the kernel. There was some discussion of a separate
> getdatacon(3) and equivalent for SCM_SECURITY to convey a "data context"
> separate from the "peer context", but that doesn't exist yet and would
> take some work in the kernel.
I believe that secmark label is the easiest to manage.
If we need the facility, I'll post a patch. :)
At first, I like to see the detail of Paul's idea.
Thanks,
> It wouldn't be difficult to modify libselinux getpeercon(3) and/or
> introduce a new higher level interface in libselinux that queries policy
> in some manner and obtains a default if the underlying kernel interface
> cannot provide a context.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-06-06 3:12 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <C32347D4-3E32-4741-B847-6826EED3BB7A@nall.com>
[not found] ` <1180631739.3340.309.camel@moss-spartans.epoch.ncsc.mil>
2007-06-02 17:46 ` generic fallbacks of getpeercon (Re: [redhat-lspp] Labeling an interface) KaiGai Kohei
2007-06-04 10:52 ` KaiGai Kohei
2007-06-04 14:17 ` Stephen Smalley
2007-06-04 19:28 ` Paul Moore
2007-06-06 3:12 ` KaiGai Kohei [this message]
2007-06-06 11:45 ` Paul Moore
2007-06-06 13:38 ` Venkat Yekkirala
2007-06-06 13:47 ` Paul Moore
2007-06-06 14:28 ` Stephen Smalley
2007-06-06 17:25 ` KaiGai Kohei
2007-06-06 17:34 ` Stephen Smalley
2007-06-06 17:52 ` KaiGai Kohei
2007-06-06 18:01 ` Stephen Smalley
2007-06-06 18:37 ` Venkat Yekkirala
2007-06-06 18:47 ` Stephen Smalley
2007-06-06 17:23 ` KaiGai Kohei
2007-06-06 17:42 ` Paul Moore
2007-06-06 18:32 ` Venkat Yekkirala
2007-06-06 19:37 ` Paul Moore
2007-06-06 20:31 ` Joshua Brindle
2007-06-06 20:48 ` Paul Moore
2007-06-06 21:19 ` Joshua Brindle
2007-06-06 21:34 ` Paul Moore
2007-06-06 21:39 ` Eamon Walsh
2007-06-07 6:55 ` KaiGai Kohei
2007-06-07 7:42 ` KaiGai Kohei
2007-06-07 11:51 ` Paul Moore
2007-06-07 14:10 ` KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4666260D.9060409@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=ewalsh@tycho.nsa.gov \
--cc=joe@nall.com \
--cc=kaigai@kaigai.gr.jp \
--cc=paul.moore@hp.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.