From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: cpebenito@tresys.com
Cc: selinux@tycho.nsa.gov
Subject: Re: security context for SPD entries of labeled IPsec
Date: Tue, 06 Nov 2007 19:00:18 +0900 [thread overview]
Message-ID: <47303B32.1070001@ak.jp.nec.com> (raw)
In-Reply-To: <472FE68D.4030404@ak.jp.nec.com>
KaiGai Kohei wrote:
> We have to set up several SPD entries with a security context
> to apply labeled IPsec, like as:
>
> spdadd 192.168.1.10 192.168.1.20 any
> -ctx 1 1 "system_u:object_r:unconfined_t:s0"
> -P in ipsec esp/transport//require;
>
> What is the most appropriate context to be specified?
> Or, is the security policy to be modified?
>
> In the current reference policy, several domain have permissions
> of association class for 'self' or 'unlabeled_t'.
> However, it can cause a matter when 'unconfined_t' processes tries
> to connect 'postgresql_t' process running on another host via labeled
> IPsec, for instance.
>
> We can add additional permissions to avoid the matter, as follows:
> allow postgresql_t unconfined_t : association { ... };
>
> But IMO it makes a bit confusable to apply process's domain as
> a type of SPD entries, like unconfined_t and so on.
>
> I prefer the following description to separate subject and object.
> allow postgresql_t postgresql_spd_t : association { ... };
> allow unconfined_t postgresql_spd_t : association { ... };
In policy/modules/system/ipsec.te, ipsec_spd_t is defined as a default
type for IPSEC SPD entries, as follows:
# Default type for IPSEC SPD entries
type ipsec_spd_t;
:
allow racoon_t ipsec_spd_t:association setcontext;
:
allow setkey_t ipsec_spd_t:association setcontext;
:
However, setkey_t and racoon_t are the all which have any permission
on ipsec_spd_t.
Is it more preferable than applying a domain as a type of SPD entries?
Thanks,
> Is there any reason why SPD entries have same type with domains?
>
> Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-11-06 9:58 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-06 3:59 security context for SPD entries of labeled IPsec KaiGai Kohei
2007-11-06 10:00 ` KaiGai Kohei [this message]
2007-11-06 18:14 ` Joy Latten
2007-11-07 4:42 ` KaiGai Kohei
-- strict thread matches above, loose matches on Subject: below --
2007-11-06 17:37 Venkat Yekkirala
2007-11-07 2:47 ` KaiGai Kohei
2007-11-06 17:56 Venkat Yekkirala
2007-11-07 16:07 Venkat Yekkirala
2007-11-08 14:22 ` KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47303B32.1070001@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=cpebenito@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.