Re: [PATCH] IPsec SPD default security context (Re: security context for SPD entries of labeled IPsec)

[KaiGai Kohei <kaigai@ak.jp.nec.com>]

Christopher J. PeBenito wrote:
> On Thu, 2007-11-15 at 01:36 +0900, KaiGai Kohei wrote:
>> Christopher J. PeBenito wrote:
>>> On Tue, 2007-11-13 at 00:36 +0900, KaiGai Kohei wrote:
>>>> Did you notice that a patch was attached in my previous posting?
>>>> Because I put a description about this patch on the bottom of the message,
>>>> it might be easy to overlook it.
>>>>
>>>> Could you review it? It is desirable for me to enable to communicate
>>>> between different domains via labeled ipsec.
>>> I committed an alternate version,
>>>
>>> http://oss.tresys.com/projects/refpolicy/changeset/2499
>>> http://oss.tresys.com/projects/refpolicy/changeset/2500
>>>
>> Thanks to apply them,
>>
>> However, it does not contain any permissions which allows
>> users and daemons domain to communicate via labeled ipsec.
>>
>> In my patch, these permissions were allowed at system/init.if
>> and system/userdomain.if. Do you consider these permissions
>> should not be allowed implicitly inside these interfaces?
>>
>> Currently, it is not enough for SE-PostgreSQL to communicate
>> peers using a SPD with default security context.
>> They are requiring a bit more permissions.
> 
> I reject the blanket permissions that you had in your previous patch.

OK, I can agree.

I also suggest two minor improvement toward these updates.

1. Is it considerable to add "allow $1 self : association { sendto };"
   at ipsec_match_default_spd interface of ipsec.if?

   I think it should be packed with polmatch permission to the default
   SPD context, because any domain which want to communicate others using
   SPD with default context always have to have 'sendto' permission to
   itself.

2. Is it considerable to add "ipsec_match_default_spd($1_t)"
   in the userdom_basic_networking_template of userdomain.if?

   This interface allows a given userdomain widespread basic networking
   permissions. But it is not enough yet, if the networking tunnel
   is configured with labeled ipsec.
   I think it can be contained in the basic networking permissions
   to use ipsec SPD with default context.

> I'll consider a patch that adds it to a postresql interface.  Perhaps
> postgresql_tcp_connect should be un-deprecated.

I think similar interfaces are necessary for any other daemon-domain which
provides networking-services, even if they don't use getpeercon().

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.