From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: "Christopher J. PeBenito" <cpebenito@tresys.com>
Cc: selinux@tycho.nsa.gov, paul.moore@hp.com, DGoeddel@TrustedCS.com,
vyekkirala@TrustedCS.com
Subject: Re: [PATCH] IPsec SPD default security context
Date: Wed, 21 Nov 2007 13:26:53 +0900 [thread overview]
Message-ID: <4743B38D.3070803@ak.jp.nec.com> (raw)
In-Reply-To: <1195583693.16660.49.camel@gorn>
[-- Attachment #1: Type: text/plain, Size: 1744 bytes --]
Hi,
The attached patch provides the followins features:
- Two new policy pattern "labeled_(tcp|udp)_pattern" are added
- The postgresql_tcp_connect interface is revised to allow a domain
to communicate with postgresql_t.
- postgresql_t can communicate others via default SPD.
- An obvious permission of "$1 self association:{sendto}" is allowed
to any domain using ipsec_spd_t.
- Any user-domain using core-networks can communicate others via
default SPD.
- Any user-domain can communicate postgresql_t via labeled networks.
>>> # compat labeled ipsec rule
>>> allow $1 self:association sendto;
>>>
>>> and then even the labeled networking part could be put into a policy
>>> pattern.
>> What does it means policy pattern?
>
> Its a support macro. See support/file_patterns.spt for file access
> patterns.
I see.
The attached patch provides "labeled_(tcp|udp)_pattern".
>> It's a bit unclear for me whether you intend to make a new template
>> interface like the one defined at kernel/corenetwork.if.m4, or make
>> a new interface for each daemon domains.
>
> Each of the daemons would need it.
The attached patch revises the postgresql_tcp_connect interface
as the first one of them.
>> Is it same for the unconfined_domain_type? They can receive messages from
>> any domain, but the peer domain without unconfined_domain_type cannot receive
>> messages from unconfined_domain_type.
>
> Good question. I'm not sure.
There is an idea that a new boolean enables to turn on/off whether any domain
can accept labeled packets come from unconfined domain, or not.
Therefore, the attached patch does not touch the unconfined domain.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
[-- Attachment #2: refpolicy-labeled-network.2.patch --]
[-- Type: text/x-patch, Size: 4390 bytes --]
Index: refpolicy/policy/modules/services/postgresql.if
===================================================================
--- refpolicy/policy/modules/services/postgresql.if (revision 2530)
+++ refpolicy/policy/modules/services/postgresql.if (working copy)
@@ -79,7 +79,7 @@
########################################
## <summary>
-## Allow the specified domain to connect to postgresql with a tcp socket. (Deprecated)
+## Allow the specified domain to connect to postgresql with a tcp socket.
## </summary>
## <param name="domain">
## <summary>
@@ -88,7 +88,13 @@
## </param>
#
interface(`postgresql_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ gen_require(`
+ type postgresql_t;
+ ')
+ corenet_tcp_sendrecv_postgresql_port($1)
+ corenet_tcp_connect_postgresql_port($1)
+ corenet_sendrecv_postgresql_client_packets($1)
+ labeled_tcp_pattern($1,postgresql_t)
')
########################################
Index: refpolicy/policy/modules/services/apache.te
===================================================================
--- refpolicy/policy/modules/services/apache.te (revision 2530)
+++ refpolicy/policy/modules/services/apache.te (working copy)
@@ -369,14 +369,6 @@
corenet_tcp_connect_all_ports(httpd_t)
')
-tunable_policy(`httpd_can_network_connect_db',`
- # allow httpd to connect to mysql/posgresql
- corenet_tcp_connect_postgresql_port(httpd_t)
- corenet_tcp_connect_mysqld_port(httpd_t)
- corenet_sendrecv_postgresql_client_packets(httpd_t)
- corenet_sendrecv_mysqld_client_packets(httpd_t)
-')
-
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
@@ -457,8 +449,13 @@
')
optional_policy(`
+ # Allow httpd to work with mysql
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
+ tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mysqld_port(httpd_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_t)
+ ')
')
optional_policy(`
@@ -476,6 +473,9 @@
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_t)
+ ')
')
optional_policy(`
Index: refpolicy/policy/modules/services/postgresql.te
===================================================================
--- refpolicy/policy/modules/services/postgresql.te (revision 2530)
+++ refpolicy/policy/modules/services/postgresql.te (working copy)
@@ -154,6 +154,10 @@
')
optional_policy(`
+ ipsec_match_default_spd(postgresql_t)
+')
+
+optional_policy(`
kerberos_use(postgresql_t)
')
Index: refpolicy/policy/modules/system/ipsec.if
===================================================================
--- refpolicy/policy/modules/system/ipsec.if (revision 2530)
+++ refpolicy/policy/modules/system/ipsec.if (working copy)
@@ -109,6 +109,7 @@
')
allow $1 ipsec_spd_t:association polmatch;
+ allow $1 self:association sendto;
')
########################################
Index: refpolicy/policy/modules/system/userdomain.if
===================================================================
--- refpolicy/policy/modules/system/userdomain.if (revision 2530)
+++ refpolicy/policy/modules/system/userdomain.if (working copy)
@@ -548,6 +548,8 @@
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_all_client_packets($1_t)
+
+ ipsec_match_default_spd($1_t)
')
#######################################
@@ -840,6 +842,7 @@
optional_policy(`
tunable_policy(`allow_user_postgresql_connect',`
postgresql_stream_connect($1_t)
+ postgresql_tcp_connect($1_t)
')
')
Index: refpolicy/policy/support/ipc_patterns.spt
===================================================================
--- refpolicy/policy/support/ipc_patterns.spt (revision 2530)
+++ refpolicy/policy/support/ipc_patterns.spt (working copy)
@@ -12,3 +12,18 @@
allow $1 $3:sock_file { getattr write };
allow $1 $4:unix_dgram_socket sendto;
')
+
+#
+# labeled networking patterns
+#
+define(`labeled_tcp_pattern',`
+ allow $1 $2:{association tcp_socket} recvfrom;
+ allow $2 $1:{association tcp_socket} recvfrom;
+ allow $1 self:association sendto;
+')
+
+define(`labeled_udp_pattern',`
+ allow $1 $2:{association udp_socket} recvfrom;
+ allow $2 $1:{association udp_socket} recvfrom;
+ allow $1 self:association sendto;
+')
next prev parent reply other threads:[~2007-11-21 4:29 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-07 16:07 security context for SPD entries of labeled IPsec Venkat Yekkirala
2007-11-08 14:22 ` KaiGai Kohei
[not found] ` <473872F8.7000208@ak.jp.nec.com>
[not found] ` <1195055160.13737.33.camel@gorn.columbia.tresys.com>
[not found] ` <473B23F9.4080506@ak.jp.nec.com>
[not found] ` <1195064402.13737.42.camel@gorn.columbia.tresys.com>
2007-11-15 2:51 ` [PATCH] IPsec SPD default security context (Re: security context for SPD entries of labeled IPsec) KaiGai Kohei
2007-11-15 14:26 ` Christopher J. PeBenito
2007-11-15 16:05 ` Paul Moore
2007-11-19 2:21 ` KaiGai Kohei
2007-11-19 18:48 ` Christopher J. PeBenito
2007-11-20 9:14 ` [PATCH] IPsec SPD default security context KaiGai Kohei
2007-11-20 18:34 ` Christopher J. PeBenito
2007-11-21 4:26 ` KaiGai Kohei [this message]
2007-11-26 16:38 ` Christopher J. PeBenito
2007-11-29 11:46 ` KaiGai Kohei
2008-01-23 3:00 ` Kohei KaiGai
2008-02-19 7:09 ` [PATCH] Labeled IPsec for PostgreSQL/MySQL/SSHd (Re: [PATCH] IPsec SPD default security context) Kohei KaiGai
2008-02-19 13:35 ` Christopher J. PeBenito
2008-02-20 0:59 ` Kohei KaiGai
2008-02-20 3:37 ` Paul Moore
2008-02-20 5:11 ` Kohei KaiGai
2008-02-20 14:18 ` Paul Moore
2008-02-25 16:13 ` Christopher J. PeBenito
2008-02-25 16:12 ` Christopher J. PeBenito
2008-02-26 2:03 ` Kohei KaiGai
2008-06-24 9:10 ` KaiGai Kohei
2008-06-25 5:59 ` [PATCH] Communication between domains under labeled networks KaiGai Kohei
2008-07-18 13:41 ` Christopher J. PeBenito
2008-07-22 10:49 ` KaiGai Kohei
2008-07-25 4:10 ` Chris PeBenito
2008-08-15 8:48 ` KaiGai Kohei
2008-09-11 13:31 ` [refpolicy] " Christopher J. PeBenito
2008-07-18 13:34 ` [PATCH] Labeled IPsec for PostgreSQL/MySQL/SSHd (Re: [PATCH] IPsec SPD default security context) Christopher J. PeBenito
2007-12-13 14:00 ` [PATCH] IPsec SPD default security context (Re: security context for SPD entries of labeled IPsec) Ted X Toth
2007-12-13 14:14 ` Christopher J. PeBenito
2007-12-13 14:58 ` Xavier Toth
2007-12-14 19:20 ` Christopher J. PeBenito
2007-12-15 21:10 ` Xavier Toth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4743B38D.3070803@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=DGoeddel@TrustedCS.com \
--cc=cpebenito@tresys.com \
--cc=paul.moore@hp.com \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.