From: Kohei KaiGai <kaigai@ak.jp.nec.com>
To: Paul Moore <paul.moore@hp.com>,
"Christopher J. PeBenito" <cpebenito@tresys.com>
Cc: selinux@tycho.nsa.gov, DGoeddel@TrustedCS.com, vyekkirala@TrustedCS.com
Subject: Re: [PATCH] Labeled IPsec for PostgreSQL/MySQL/SSHd (Re: [PATCH] IPsec SPD default security context)
Date: Wed, 20 Feb 2008 14:11:56 +0900 [thread overview]
Message-ID: <47BBB69C.2050007@ak.jp.nec.com> (raw)
In-Reply-To: <200802192237.22546.paul.moore@hp.com>
[-- Attachment #1: Type: text/plain, Size: 1068 bytes --]
Paul Moore wrote:
> On Tuesday 19 February 2008 7:59:22 pm Kohei KaiGai wrote:
>> Is it acceptable one, if we provide an interface to allow a domain
>> to communicate postgresql_t via labeled networking, separated from
>> existing permissions for local ports and nodes?
>>
>> For example:
>> -- at postgresql.if
>> interface(`postgresql_labeled_connect',`
>> gen_require(`
>> type postgresql_t;
>> ')
>> corenet_tcp_recvfrom_labeled($1,postgresql_t)
>> ')
>>
>> and
>> -- at apache.te
>> postgresql_labeled_connect(httpd_t)
>>
>> I think this approach enables to keep independency between modules
>> in unlabeled networking cases too.
>
> For what it is worth, it looks like a good idea to me.
At first, I implemented this idea for three services (PostgreSQL/MySQL/SSHd).
This patch adds the following interfaces:
- postgresql_labeled_communicate(domain)
- mysql_labeled_communicate(domain)
- ssh_labeled_communicate(domain)
Chris, is it suitable for refpolicy framework?
Thanks
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
[-- Attachment #2: refpolicy-labeled_communicate.patch --]
[-- Type: text/x-patch, Size: 6043 bytes --]
Index: refpolicy/policy/modules/services/postgresql.if
===================================================================
--- refpolicy/policy/modules/services/postgresql.if (revision 2614)
+++ refpolicy/policy/modules/services/postgresql.if (working copy)
@@ -79,7 +79,7 @@
########################################
## <summary>
-## Allow the specified domain to connect to postgresql with a tcp socket.
+## Allow the specified domain to connect to postgresql with a tcp socket. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -88,14 +88,7 @@
## </param>
#
interface(`postgresql_tcp_connect',`
- gen_require(`
- type postgresql_t;
- ')
-
- corenet_tcp_recvfrom_labeled($1,postgresql_t)
- corenet_tcp_sendrecv_postgresql_port($1)
- corenet_tcp_connect_postgresql_port($1)
- corenet_sendrecv_postgresql_client_packets($1)
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
@@ -120,3 +113,20 @@
# Some versions of postgresql put the sock file in /tmp
allow $1 postgresql_tmp_t:sock_file write;
')
+
+########################################
+## <summary>
+## Allow the specified domain to communicate with postgresql via labeled network.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postgresql_labeled_communicate',`
+ gen_require(`
+ type postgresql_t;
+ ')
+ corenet_tcp_recvfrom_labeled($1,postgresql_t)
+')
Index: refpolicy/policy/modules/services/ssh.te
===================================================================
--- refpolicy/policy/modules/services/ssh.te (revision 2614)
+++ refpolicy/policy/modules/services/ssh.te (working copy)
@@ -109,6 +109,10 @@
')
optional_policy(`
+ ipsec_match_default_spd(sshd_t)
+')
+
+optional_policy(`
rpm_use_script_fds(sshd_t)
')
Index: refpolicy/policy/modules/services/mysql.if
===================================================================
--- refpolicy/policy/modules/services/mysql.if (revision 2614)
+++ refpolicy/policy/modules/services/mysql.if (working copy)
@@ -39,6 +39,23 @@
########################################
## <summary>
+## Allow the specified domain to communicate with MySQL via labeled network.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_labeled_communicate',`
+ gen_require(`
+ type mysqld_t;
+ ')
+ corenet_tcp_recvfrom_labeled($1,mysqld_t)
+')
+
+########################################
+## <summary>
## Read MySQL configuration files.
## </summary>
## <param name="domain">
Index: refpolicy/policy/modules/services/apache.te
===================================================================
--- refpolicy/policy/modules/services/apache.te (revision 2614)
+++ refpolicy/policy/modules/services/apache.te (working copy)
@@ -370,6 +370,14 @@
corenet_tcp_connect_all_ports(httpd_t)
')
+tunable_policy(`httpd_can_network_connect_db',`
+ # allow httpd to connect to mysql/posgresql
+ corenet_tcp_connect_postgresql_port(httpd_t)
+ corenet_tcp_connect_mysqld_port(httpd_t)
+ corenet_sendrecv_postgresql_client_packets(httpd_t)
+ corenet_sendrecv_mysqld_client_packets(httpd_t)
+')
+
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
@@ -455,8 +463,7 @@
mysql_rw_db_sockets(httpd_t)
tunable_policy(`httpd_can_network_connect_db',`
- corenet_tcp_connect_mysqld_port(httpd_t)
- corenet_sendrecv_mysqld_client_packets(httpd_t)
+ mysql_labeled_communicate(httpd_t)
')
')
@@ -477,7 +484,7 @@
postgresql_stream_connect(httpd_t)
tunable_policy(`httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_t)
+ postgresql_labeled_communicate(httpd_t)
')
')
Index: refpolicy/policy/modules/services/ssh.if
===================================================================
--- refpolicy/policy/modules/services/ssh.if (revision 2614)
+++ refpolicy/policy/modules/services/ssh.if (working copy)
@@ -640,6 +640,23 @@
########################################
## <summary>
+## Allow the specified domain to communicate with SSH daemons via labeled network.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_labeled_communicate',`
+ gen_require(`
+ type sshd_t;
+ ')
+ corenet_tcp_recvfrom_labeled($1,sshd_t)
+')
+
+########################################
+## <summary>
## Execute the ssh daemon sshd domain.
## </summary>
## <param name="domain">
Index: refpolicy/policy/modules/services/apache.if
===================================================================
--- refpolicy/policy/modules/services/apache.if (revision 2614)
+++ refpolicy/policy/modules/services/apache.if (working copy)
@@ -226,6 +226,18 @@
')
optional_policy(`
+ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+ mysql_labeled_communicate(httpd_$1_script_t)
+ ')
+ ')
+
+ optional_policy(`
+ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+ postgresql_labeled_communicate(httpd_$1_script_t)
+ ')
+ ')
+
+ optional_policy(`
nscd_socket_use(httpd_$1_script_t)
')
')
Index: refpolicy/policy/modules/system/userdomain.if
===================================================================
--- refpolicy/policy/modules/system/userdomain.if (revision 2614)
+++ refpolicy/policy/modules/system/userdomain.if (working copy)
@@ -834,6 +834,7 @@
optional_policy(`
tunable_policy(`allow_user_mysql_connect',`
mysql_stream_connect($1_t)
+ mysql_labeled_communicate($1_t)
')
')
@@ -850,7 +851,7 @@
optional_policy(`
tunable_policy(`allow_user_postgresql_connect',`
postgresql_stream_connect($1_t)
- postgresql_tcp_connect($1_t)
+ postgresql_labeled_communicate($1_t)
')
')
@@ -872,6 +873,10 @@
')
optional_policy(`
+ ssh_labeled_communicate($1_t)
+ ')
+
+ optional_policy(`
usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
')
')
next prev parent reply other threads:[~2008-02-20 5:12 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-07 16:07 security context for SPD entries of labeled IPsec Venkat Yekkirala
2007-11-08 14:22 ` KaiGai Kohei
[not found] ` <473872F8.7000208@ak.jp.nec.com>
[not found] ` <1195055160.13737.33.camel@gorn.columbia.tresys.com>
[not found] ` <473B23F9.4080506@ak.jp.nec.com>
[not found] ` <1195064402.13737.42.camel@gorn.columbia.tresys.com>
2007-11-15 2:51 ` [PATCH] IPsec SPD default security context (Re: security context for SPD entries of labeled IPsec) KaiGai Kohei
2007-11-15 14:26 ` Christopher J. PeBenito
2007-11-15 16:05 ` Paul Moore
2007-11-19 2:21 ` KaiGai Kohei
2007-11-19 18:48 ` Christopher J. PeBenito
2007-11-20 9:14 ` [PATCH] IPsec SPD default security context KaiGai Kohei
2007-11-20 18:34 ` Christopher J. PeBenito
2007-11-21 4:26 ` KaiGai Kohei
2007-11-26 16:38 ` Christopher J. PeBenito
2007-11-29 11:46 ` KaiGai Kohei
2008-01-23 3:00 ` Kohei KaiGai
2008-02-19 7:09 ` [PATCH] Labeled IPsec for PostgreSQL/MySQL/SSHd (Re: [PATCH] IPsec SPD default security context) Kohei KaiGai
2008-02-19 13:35 ` Christopher J. PeBenito
2008-02-20 0:59 ` Kohei KaiGai
2008-02-20 3:37 ` Paul Moore
2008-02-20 5:11 ` Kohei KaiGai [this message]
2008-02-20 14:18 ` Paul Moore
2008-02-25 16:13 ` Christopher J. PeBenito
2008-02-25 16:12 ` Christopher J. PeBenito
2008-02-26 2:03 ` Kohei KaiGai
2008-06-24 9:10 ` KaiGai Kohei
2008-06-25 5:59 ` [PATCH] Communication between domains under labeled networks KaiGai Kohei
2008-07-18 13:41 ` Christopher J. PeBenito
2008-07-22 10:49 ` KaiGai Kohei
2008-07-25 4:10 ` Chris PeBenito
2008-08-15 8:48 ` KaiGai Kohei
2008-09-11 13:31 ` [refpolicy] " Christopher J. PeBenito
2008-07-18 13:34 ` [PATCH] Labeled IPsec for PostgreSQL/MySQL/SSHd (Re: [PATCH] IPsec SPD default security context) Christopher J. PeBenito
2007-12-13 14:00 ` [PATCH] IPsec SPD default security context (Re: security context for SPD entries of labeled IPsec) Ted X Toth
2007-12-13 14:14 ` Christopher J. PeBenito
2007-12-13 14:58 ` Xavier Toth
2007-12-14 19:20 ` Christopher J. PeBenito
2007-12-15 21:10 ` Xavier Toth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47BBB69C.2050007@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=DGoeddel@TrustedCS.com \
--cc=cpebenito@tresys.com \
--cc=paul.moore@hp.com \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.