Re: [PATCH] Labeled IPsec for PostgreSQL/MySQL/SSHd (Re: [PATCH] IPsec SPD default security context)

[Kohei KaiGai <kaigai@ak.jp.nec.com>]

Christopher J. PeBenito wrote:
> On Tue, 2008-02-19 at 16:09 +0900, Kohei KaiGai wrote:
>>>>> Merged [1], but I made some changes.  I created corenetwork interfaces
>>>>> to use instead of the patterns, so the current MLS-only netlabel case
>>>>> can be handled too.  I also updated the domain module to use the
>>>>> interfaces.
>>>>>
>>>>> The thing that makes me a little nervous, which I didn't realize at
>>>>> first, is if you use non-labeled networking, the peer policy will still
>>>>> be needed, since the corenet connect/sendrecv calls are abstracted into
>>>>> the interface.  Consider the non-labeled case for apache.  The
>>>>> httpd_can_network_connect_db tunable won't work for postgresql, if the
>>>>> postgresql module isn't in the apache server's policy.  Whats worse is,
>>>>> to make it work, you need to bring in the entire postgresql policy, even
>>>>> though you only need one type, and only need the recvfrom rules.
>>>>>
>>>>> [1] http://oss.tresys.com/projects/refpolicy/changeset/2531
>> Chris, what is the current status of my patch submitted previously?
>>
>> You pointed out that undeprecating postgresql_tcp_connect() to allow
>> permissions for labeled and traditional networks can make unneeded
>> dependency.
>>
>> The attached patch reverts postgresql_tcp_connect() and related part,
>> and puts corenet_tcp_recvfrom_labeled() and ipsec_match_default_spd()
>> within optional_policy block, if necessary.
>> It enables any userdomain to communicate PostgreSQL/MySQL/SSHd via
>> labeled networking, at first.
>> However, I believe we can apply this method for other domains also.
> 
> The use of types outside their modules is not acceptable, for example:
> 
> +               corenet_tcp_recvfrom_labeled(httpd_t,postgresql_t)

Is it acceptable one, if we provide an interface to allow a domain
to communicate postgresql_t via labeled networking, separated from
existing permissions for local ports and nodes?

For example:
-- at postgresql.if
interface(`postgresql_labeled_connect',`
	gen_require(`
		type postgresql_t;
	')
	corenet_tcp_recvfrom_labeled($1,postgresql_t)
')

and
-- at apache.te
postgresql_labeled_connect(httpd_t)

I think this approach enables to keep independency between modules
in unlabeled networking cases too.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.