From: Kohei KaiGai <kaigai@ak.jp.nec.com>
To: "Christopher J. PeBenito" <cpebenito@tresys.com>
Cc: selinux@tycho.nsa.gov, paul.moore@hp.com, DGoeddel@TrustedCS.com,
vyekkirala@TrustedCS.com
Subject: Re: [PATCH] IPsec SPD default security context
Date: Wed, 23 Jan 2008 12:00:57 +0900 [thread overview]
Message-ID: <4796ADE9.8000608@ak.jp.nec.com> (raw)
In-Reply-To: <474EA68E.9010108@ak.jp.nec.com>
[-- Attachment #1: Type: text/plain, Size: 2434 bytes --]
Sorry for a long silence.
I want to resume the discussion again.
>> Merged [1], but I made some changes. I created corenetwork interfaces
>> to use instead of the patterns, so the current MLS-only netlabel case
>> can be handled too. I also updated the domain module to use the
>> interfaces.
>>
>> The thing that makes me a little nervous, which I didn't realize at
>> first, is if you use non-labeled networking, the peer policy will still
>> be needed, since the corenet connect/sendrecv calls are abstracted into
>> the interface. Consider the non-labeled case for apache. The
>> httpd_can_network_connect_db tunable won't work for postgresql, if the
>> postgresql module isn't in the apache server's policy. Whats worse is,
>> to make it work, you need to bring in the entire postgresql policy, even
>> though you only need one type, and only need the recvfrom rules.
>>
>> [1] http://oss.tresys.com/projects/refpolicy/changeset/2531
>
> I've considered to resolve the matter for a while, but I could not get
> any good idea. I think the most appropriate way is to separate corenet
> part from labeled networking part again, and to put corenet sendrecv
> pattern and an interface optionally to communicate via labeled networking.
>
> I also considered a method to utilize the second argument of the
> "optional_policy" macro, but it seemed to me a bit ugly more.
>
> How do you think the idea to revert apache.te and create a new interface
> to communicate via labeled networking only?
The attached patch revert the previous changes in postgresql.if, apache.te.
postgresql_tcp_connect() got deprecated again, and we separate the permissions
for unlabeled network and one for labeled networking.
The permissions for unlabeled network are allowed with previous way.
Ones for labeled network are allowed using corenet_tcp_recvfrom_labeled()
macro within optional_policy, because it requires the definition of peer's
domain.
In addition, ipsec_match_default_spd() is put on all domains which have
possibility to attend labeled network communication.
We can apply same process from any othe domain's policy, as follows:
1. add ipsec_match_default_spd() within definitions of domain which can
attend lebeled network.
2. add corenet_(all|tcp|udp|raw)_recvfrom_labeled() within definitions
of client domain.
What is your opinion?
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
[-- Attachment #2: refpolicy-use-corenet-for-ipsec.patch --]
[-- Type: text/x-patch, Size: 3613 bytes --]
Index: refpolicy/policy/modules/services/postgresql.if
===================================================================
--- refpolicy/policy/modules/services/postgresql.if (revision 2582)
+++ refpolicy/policy/modules/services/postgresql.if (working copy)
@@ -79,7 +79,7 @@
########################################
## <summary>
-## Allow the specified domain to connect to postgresql with a tcp socket.
+## Allow the specified domain to connect to postgresql with a tcp socket. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -88,14 +88,7 @@
## </param>
#
interface(`postgresql_tcp_connect',`
- gen_require(`
- type postgresql_t;
- ')
-
- corenet_tcp_recvfrom_labeled($1,postgresql_t)
- corenet_tcp_sendrecv_postgresql_port($1)
- corenet_tcp_connect_postgresql_port($1)
- corenet_sendrecv_postgresql_client_packets($1)
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
Index: refpolicy/policy/modules/services/apache.te
===================================================================
--- refpolicy/policy/modules/services/apache.te (revision 2582)
+++ refpolicy/policy/modules/services/apache.te (working copy)
@@ -370,6 +370,14 @@
corenet_tcp_connect_all_ports(httpd_t)
')
+tunable_policy(`httpd_can_network_connect_db',`
+ # allow httpd to connect to mysql/posgresql
+ corenet_tcp_connect_postgresql_port(httpd_t)
+ corenet_tcp_connect_mysqld_port(httpd_t)
+ corenet_sendrecv_postgresql_client_packets(httpd_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_t)
+')
+
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
@@ -437,6 +445,10 @@
')
optional_policy(`
+ ipsec_match_default_spd(httpd_t)
+')
+
+optional_policy(`
kerberos_use(httpd_t)
kerberos_read_kdc_config(httpd_t)
')
@@ -455,8 +467,7 @@
mysql_rw_db_sockets(httpd_t)
tunable_policy(`httpd_can_network_connect_db',`
- corenet_tcp_connect_mysqld_port(httpd_t)
- corenet_sendrecv_mysqld_client_packets(httpd_t)
+ corenet_tcp_recvfrom_labeled(httpd_t,mysqld_t)
')
')
@@ -477,7 +488,7 @@
postgresql_stream_connect(httpd_t)
tunable_policy(`httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_t)
+ corenet_tcp_recvfrom_labeled(httpd_t,postgresql_t)
')
')
Index: refpolicy/policy/modules/services/apache.if
===================================================================
--- refpolicy/policy/modules/services/apache.if (revision 2582)
+++ refpolicy/policy/modules/services/apache.if (working copy)
@@ -196,6 +196,11 @@
sysnet_read_config(httpd_$1_script_t)
')
+ optional_policy(`
+ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+ corenet_tcp_recvfrom_labeled(httpd_$1_script_t,postgresql_t)
+ ')
+ ')
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
@@ -214,6 +219,9 @@
sysnet_read_config(httpd_$1_script_t)
')
+ optional_policy(`
+ ipsec_match_default_spd(httpd_$1_script_t)
+ ')
optional_policy(`
mta_send_mail(httpd_$1_script_t)
Index: refpolicy/policy/modules/system/userdomain.if
===================================================================
--- refpolicy/policy/modules/system/userdomain.if (revision 2582)
+++ refpolicy/policy/modules/system/userdomain.if (working copy)
@@ -844,7 +844,7 @@
optional_policy(`
tunable_policy(`allow_user_postgresql_connect',`
postgresql_stream_connect($1_t)
- postgresql_tcp_connect($1_t)
+ corenet_tcp_recvfrom_labeled($1_t,postgresql_t)
')
')
next prev parent reply other threads:[~2008-01-23 3:01 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-07 16:07 security context for SPD entries of labeled IPsec Venkat Yekkirala
2007-11-08 14:22 ` KaiGai Kohei
[not found] ` <473872F8.7000208@ak.jp.nec.com>
[not found] ` <1195055160.13737.33.camel@gorn.columbia.tresys.com>
[not found] ` <473B23F9.4080506@ak.jp.nec.com>
[not found] ` <1195064402.13737.42.camel@gorn.columbia.tresys.com>
2007-11-15 2:51 ` [PATCH] IPsec SPD default security context (Re: security context for SPD entries of labeled IPsec) KaiGai Kohei
2007-11-15 14:26 ` Christopher J. PeBenito
2007-11-15 16:05 ` Paul Moore
2007-11-19 2:21 ` KaiGai Kohei
2007-11-19 18:48 ` Christopher J. PeBenito
2007-11-20 9:14 ` [PATCH] IPsec SPD default security context KaiGai Kohei
2007-11-20 18:34 ` Christopher J. PeBenito
2007-11-21 4:26 ` KaiGai Kohei
2007-11-26 16:38 ` Christopher J. PeBenito
2007-11-29 11:46 ` KaiGai Kohei
2008-01-23 3:00 ` Kohei KaiGai [this message]
2008-02-19 7:09 ` [PATCH] Labeled IPsec for PostgreSQL/MySQL/SSHd (Re: [PATCH] IPsec SPD default security context) Kohei KaiGai
2008-02-19 13:35 ` Christopher J. PeBenito
2008-02-20 0:59 ` Kohei KaiGai
2008-02-20 3:37 ` Paul Moore
2008-02-20 5:11 ` Kohei KaiGai
2008-02-20 14:18 ` Paul Moore
2008-02-25 16:13 ` Christopher J. PeBenito
2008-02-25 16:12 ` Christopher J. PeBenito
2008-02-26 2:03 ` Kohei KaiGai
2008-06-24 9:10 ` KaiGai Kohei
2008-06-25 5:59 ` [PATCH] Communication between domains under labeled networks KaiGai Kohei
2008-07-18 13:41 ` Christopher J. PeBenito
2008-07-22 10:49 ` KaiGai Kohei
2008-07-25 4:10 ` Chris PeBenito
2008-08-15 8:48 ` KaiGai Kohei
2008-09-11 13:31 ` [refpolicy] " Christopher J. PeBenito
2008-07-18 13:34 ` [PATCH] Labeled IPsec for PostgreSQL/MySQL/SSHd (Re: [PATCH] IPsec SPD default security context) Christopher J. PeBenito
2007-12-13 14:00 ` [PATCH] IPsec SPD default security context (Re: security context for SPD entries of labeled IPsec) Ted X Toth
2007-12-13 14:14 ` Christopher J. PeBenito
2007-12-13 14:58 ` Xavier Toth
2007-12-14 19:20 ` Christopher J. PeBenito
2007-12-15 21:10 ` Xavier Toth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4796ADE9.8000608@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=DGoeddel@TrustedCS.com \
--cc=cpebenito@tresys.com \
--cc=paul.moore@hp.com \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.