From: Darrel Goeddel <sedgoeddel@gmail.com>
To: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Cc: Paul Moore <paul.moore@hp.com>,
selinux@tycho.nsa.gov, James Morris <jmorris@namei.org>,
Darrel Goeddel <DGoeddel@TrustedCS.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
kaigai@ak.jp.nec.com, joe@nall.com,
Eric Paris <eparis@parisplace.org>
Subject: Re: [RFC 0/5] Static/fallback external labels for NetLabel
Date: Tue, 28 Aug 2007 09:58:16 -0500 [thread overview]
Message-ID: <46D43808.4050008@gmail.com> (raw)
In-Reply-To: <D709A20F2164C84E8B7014B0301F5EF8521359@HAVOC.tcs-sec.com>
Venkat Yekkirala wrote:
<snip>
>> From: Paul Moore [mailto:paul.moore@hp.com]
>> Yes, but you're not really distinguishing between a ssh_t
>> peer and a http_t
>> peer, e.g. ssh -p 80, which is what troubles me about port
>> level granularity.
>> I sent another mail earlier which I believe described these
>> concerns a bit
>> better.
>
> I missed it earlier. We have been brainstorming on this among
> myself, Chad and Darrel and our current thinking (assuming I am
> putting it forward correctly) is that if one limits trust to the
> interface, it actually seems to make sense to allow defaults at
> just the interface level and further it seems to make sense to
> have the same level of granularity for both the fallback and the
> filtering case. At least for MLS, it seems enough to have the ability
> to define fallbacks as also perform filtering at just the interface level.
> The question to be debated is if for TE, we need granularity
> beyond the interface for fallbacks and flow-control.
We batted around a bunch of ideas and it almost always seemed that the
granularity of fallback labels should match the granularity of the flow
control checks. As Venkat stated, anything past the netif is really
extending turst on our part, whether it is for applying a fallback label
or performing an access check. If we apply fallbacks at the host level,
we should also allow flow control at the host level. It doesn't seem to
make sense that we would say "info from 1.2.3.4 is SECRET", but not be
able to "info going to 1.2.3.4 should be SECRET). I personally don't
see a current need to go past host for either, and even host *could* be
argued away in my eyes. That being said, I would never be opposed to
flexibility.
NOTE that I said almost in my first sentence... The only "opposing"
scenario that seemed intuitive to me was apply fallbacks using
network/netmask only and apply flow checks at interface only. An
example of operation would be:
netif access rules:
eth1 SECRET 10.0.1.0/24
eth2 TS 10.0.2.0/24
host fallback labels:
10.0.1.100/32 SYSHI
10.0.1.0/24 SECRET
10.0.2.0/24 TS
That CON host would obviously get denied coming in if it was not using
some on-the-wire labeling because it would be assigned a label of SYSHI,
which would be blocked at the netif flow check. I'm sure something is
wrong with the host label/netif access check idea, but I can't put my
finger on it... Too much trust in the IP address and routing?
Paul, why the netif/host combo in the original netlabel fallback patch?
Why not just hosts (or really network/netmask)? Can we make the
--
Darrel
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-08-28 14:58 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-27 22:09 [RFC 0/5] Static/fallback external labels for NetLabel Venkat Yekkirala
2007-08-28 14:51 ` Paul Moore
2007-08-28 14:58 ` Darrel Goeddel [this message]
2007-08-28 15:12 ` Darrel Goeddel
2007-08-28 15:51 ` Paul Moore
2007-08-28 16:18 ` Joe Nall
2007-08-28 18:51 ` Paul Moore
2007-08-28 19:10 ` Joe Nall
2007-08-28 19:08 ` Stephen Smalley
2007-08-28 19:48 ` Joshua Brindle
2007-08-28 22:26 ` Joe Nall
2007-08-29 0:16 ` Joshua Brindle
2007-08-29 3:45 ` Joshua Brindle
2007-08-29 4:11 ` Joshua Brindle
2007-08-29 4:49 ` Joe Nall
2007-08-29 14:04 ` Joshua Brindle
2007-08-29 15:50 ` Joe Nall
2007-08-29 16:31 ` Joshua Brindle
2007-08-29 12:21 ` Paul Moore
2007-08-29 14:26 ` Joshua Brindle
2007-08-29 14:56 ` Paul Moore
2007-08-29 15:08 ` Joshua Brindle
2007-08-29 16:55 ` Paul Moore
2007-08-28 17:23 ` Darrel Goeddel
2007-08-28 19:07 ` Paul Moore
-- strict thread matches above, loose matches on Subject: below --
2007-08-29 16:15 Venkat Yekkirala
2007-08-29 16:41 ` Paul Moore
2007-08-29 15:29 Venkat Yekkirala
2007-08-29 15:45 ` Stephen Smalley
2007-08-29 15:07 Venkat Yekkirala
2007-08-28 18:02 Venkat Yekkirala
2007-08-28 19:47 ` Paul Moore
2007-08-28 16:30 Venkat Yekkirala
2007-08-28 17:39 ` Darrel Goeddel
2007-08-28 19:36 ` Paul Moore
2007-08-28 19:26 ` Paul Moore
2007-08-28 16:13 Venkat Yekkirala
2007-08-28 16:32 ` Joe Nall
2007-08-28 19:08 ` Paul Moore
2007-08-27 13:02 Venkat Yekkirala
2007-08-27 13:48 ` Paul Moore
2007-08-27 12:59 Venkat Yekkirala
2007-08-27 12:57 Venkat Yekkirala
2007-08-27 12:44 Venkat Yekkirala
2007-08-27 14:37 ` Paul Moore
2007-08-24 18:11 Venkat Yekkirala
2007-08-24 17:37 Venkat Yekkirala
2007-08-25 21:01 ` Paul Moore
2007-08-07 14:14 Paul Moore
2007-08-09 10:57 ` KaiGai Kohei
2007-08-09 11:48 ` Paul Moore
2007-08-09 12:42 ` Stephen Smalley
2007-08-09 13:29 ` Paul Moore
2007-08-09 13:54 ` Stephen Smalley
2007-08-09 14:48 ` Paul Moore
2007-08-09 15:49 ` James Morris
2007-08-09 16:01 ` Stephen Smalley
2007-08-09 22:35 ` Paul Moore
2007-08-09 13:59 ` James Morris
2007-08-09 14:50 ` Paul Moore
2007-08-09 15:13 ` Stephen Smalley
2007-08-09 14:41 ` Darrel Goeddel
2007-08-09 14:57 ` Paul Moore
2007-08-09 15:07 ` Darrel Goeddel
2007-08-09 15:32 ` Casey Schaufler
2007-08-09 15:39 ` Stephen Smalley
2007-08-09 16:16 ` Casey Schaufler
2007-08-09 14:09 ` Darrel Goeddel
2007-08-09 14:24 ` James Morris
2007-08-09 16:42 ` Darrel Goeddel
2007-08-09 19:20 ` Joe Nall
2007-08-09 19:47 ` Darrel Goeddel
2007-08-09 20:12 ` Joe Nall
2007-08-09 21:15 ` Stephen Smalley
2007-08-09 21:18 ` Darrel Goeddel
2007-08-09 22:48 ` Paul Moore
2007-08-09 20:17 ` Paul Moore
2007-08-09 14:53 ` Paul Moore
2007-08-09 16:08 ` Darrel Goeddel
2007-08-09 22:55 ` Darrel Goeddel
2007-08-10 16:49 ` James Morris
2007-08-14 14:47 ` Darrel Goeddel
2007-08-15 4:24 ` James Morris
2007-08-15 22:35 ` Darrel Goeddel
2007-08-16 15:04 ` James Morris
2007-08-24 16:31 ` Paul Moore
2007-08-24 18:34 ` James Morris
2007-08-24 19:02 ` Casey Schaufler
2007-08-24 19:49 ` Paul Moore
2007-08-24 20:17 ` James Morris
2007-08-24 20:24 ` Paul Moore
2007-08-24 20:47 ` Joshua Brindle
2007-08-24 20:42 ` Casey Schaufler
2007-08-24 21:10 ` Paul Moore
2007-08-24 21:37 ` Casey Schaufler
2007-08-24 20:29 ` Joshua Brindle
2007-08-28 14:03 ` Darrel Goeddel
2007-08-28 15:16 ` Paul Moore
2007-08-09 15:48 ` Casey Schaufler
2007-08-09 19:38 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46D43808.4050008@gmail.com \
--to=sedgoeddel@gmail.com \
--cc=DGoeddel@TrustedCS.com \
--cc=eparis@parisplace.org \
--cc=jmorris@namei.org \
--cc=joe@nall.com \
--cc=kaigai@ak.jp.nec.com \
--cc=paul.moore@hp.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.