From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: "Christopher J. PeBenito" <cpebenito@tresys.com>
Cc: Paul Moore <paul.moore@hp.com>,
selinux@tycho.nsa.gov, DGoeddel@TrustedCS.com,
vyekkirala@TrustedCS.com
Subject: Re: [PATCH] Communication between domains under labeled networks
Date: Tue, 22 Jul 2008 19:49:38 +0900 [thread overview]
Message-ID: <4885BB42.4060603@ak.jp.nec.com> (raw)
In-Reply-To: <1216388484.21191.139.camel@gorn>
[-- Attachment #1: Type: text/plain, Size: 3579 bytes --]
Christopher J. PeBenito wrote:
> On Wed, 2008-06-25 at 14:59 +0900, KaiGai Kohei wrote:
>> Hi,
>>
>> The attached patch allows user domains to communicate with daemon
>> domain, and some other domains (Apache and CGI script) to communicate
>> with RDBMS (PostgreSQL and MySQL) using xxxx_tcp_connect() interface.
>>
>> This approach enables to cover most of relationship needed.
>> All we have to do is to describe the rest of relationship like
>> ones between CGI script and RDBMS, daemons and name server,
>> anything and samba server, ....
>>
>> At least, we cannot get labeled networks available unless adding
>> policies to communicate between proper domains.
>> I think it is necessary to make a decision to describe the policies.
>
>>
>>
>>
>>
>> differences
>> between files
>> attachment
>> (refpolicy-labeled_communication.2.patch)
The attached patch is a revised version.
Please review it again.
And I also noticed that ipsec_match_default_spd() should be invoked with
server's domain as postgresql_t doing.
(e.g: communication between staff_t and sshd_t)
I think it also should be allowed for whole of daemon attribute.
What is your opinion? The version.3 patch also contains this fix.
>> Index: refpolicy/policy/modules/services/apache.if
>> ===================================================================
>> --- refpolicy/policy/modules/services/apache.if (revision 2733)
>> +++ refpolicy/policy/modules/services/apache.if (working copy)
>> @@ -189,10 +189,8 @@
>> corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
>> corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
>> corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
>> - corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
>> - corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
>> - corenet_sendrecv_postgresql_client_packets(httpd_
>> $1_script_t)
>> - corenet_sendrecv_mysqld_client_packets(httpd_
>> $1_script_t)
>> + postgresql_tcp_connect(httpd_$1_script_t)
>> + mysql_tcp_connect(httpd_$1_script_t)
>>
>> sysnet_read_config(httpd_$1_script_t)
>> ')
>
> In this case, we want to break out the two databases into individual
> optionals, e.g.
>
> optional_policy(`
> tunable_policy(`.... && ....',`
> mysql_tcp_connect()
> ')
> ')
OK, these are separated from the tunable block.
> In fact we may want to just duplicate the whole tunable since the other
> perms don't make much sense if you cant connect to mysql or postgresql.
>
>> Index: refpolicy/policy/modules/system/init.if
>> ===================================================================
>> --- refpolicy/policy/modules/system/init.if (revision 2733)
>> +++ refpolicy/policy/modules/system/init.if (working copy)
>> @@ -1273,3 +1273,37 @@
>> files_search_pids($1)
>> allow $1 initrc_var_run_t:file manage_file_perms;
>> ')
> [...]
>> +interface(`daemon_labeled_tcp_recvfrom',`
>> + gen_require(`
>> + attribute daemon;
>> + ')
>> + corenet_tcp_recvfrom_labeled($1,daemon)
>> +')
>> +
> [...]
>> +interface(`daemon_labeled_udp_recvfrom',`
>> + gen_require(`
>> + attribute daemon;
>> + ')
>> + corenet_udp_recvfrom_labeled($1,daemon)
>> +')
>>
>
> Both interfaces need naming fixes. init_tcp_recvfrom_all_daemons() and
> init_udp_recvfrom_all_daemons().
OK, these are renamed.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
[-- Attachment #2: refpolicy-labeled_communication.3.patch --]
[-- Type: text/x-patch, Size: 5055 bytes --]
Index: refpolicy/policy/modules/services/mysql.if
===================================================================
--- refpolicy/policy/modules/services/mysql.if (revision 2762)
+++ refpolicy/policy/modules/services/mysql.if (working copy)
@@ -20,6 +20,27 @@
########################################
## <summary>
+## Allow the specified domain to connect to postgresql with a tcp socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_tcp_connect',`
+ gen_require(`
+ type mysqld_t;
+ ')
+
+ corenet_tcp_recvfrom_labeled($1,mysqld_t)
+ corenet_tcp_sendrecv_mysqld_port($1)
+ corenet_tcp_connect_mysqld_port($1)
+ corenet_sendrecv_mysqld_client_packets($1)
+')
+
+########################################
+## <summary>
## Connect to MySQL using a unix domain stream socket.
## </summary>
## <param name="domain">
Index: refpolicy/policy/modules/services/apache.te
===================================================================
--- refpolicy/policy/modules/services/apache.te (revision 2762)
+++ refpolicy/policy/modules/services/apache.te (working copy)
@@ -459,8 +459,7 @@
mysql_rw_db_sockets(httpd_t)
tunable_policy(`httpd_can_network_connect_db',`
- corenet_tcp_connect_mysqld_port(httpd_t)
- corenet_sendrecv_mysqld_client_packets(httpd_t)
+ mysql_tcp_connect(httpd_t)
')
')
Index: refpolicy/policy/modules/services/apache.if
===================================================================
--- refpolicy/policy/modules/services/apache.if (revision 2762)
+++ refpolicy/policy/modules/services/apache.if (working copy)
@@ -189,14 +189,22 @@
corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
- corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
- corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t)
- corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t)
sysnet_read_config(httpd_$1_script_t)
')
+ optional_policy(`
+ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_$1_script_t)
+ ')
+ ')
+
+ optional_policy(`
+ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_$1_script_t)
+ ')
+ ')
+
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_$1_script_t self:udp_socket create_socket_perms;
Index: refpolicy/policy/modules/services/postgresql.te
===================================================================
--- refpolicy/policy/modules/services/postgresql.te (revision 2762)
+++ refpolicy/policy/modules/services/postgresql.te (working copy)
@@ -245,10 +245,6 @@
')
optional_policy(`
- ipsec_match_default_spd(postgresql_t)
-')
-
-optional_policy(`
kerberos_use(postgresql_t)
')
Index: refpolicy/policy/modules/system/userdomain.if
===================================================================
--- refpolicy/policy/modules/system/userdomain.if (revision 2762)
+++ refpolicy/policy/modules/system/userdomain.if (working copy)
@@ -549,7 +549,14 @@
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_all_client_packets($1_t)
+ corenet_all_recvfrom_labeled($1_t, $1_t)
+
optional_policy(`
+ init_tcp_recvfrom_all_daemons($1_t)
+ init_udp_recvfrom_all_daemons($1_t)
+ ')
+
+ optional_policy(`
ipsec_match_default_spd($1_t)
')
')
Index: refpolicy/policy/modules/system/init.te
===================================================================
--- refpolicy/policy/modules/system/init.te (revision 2762)
+++ refpolicy/policy/modules/system/init.te (working copy)
@@ -609,6 +609,8 @@
optional_policy(`
ipsec_read_config(initrc_t)
ipsec_manage_pid(initrc_t)
+
+ ipsec_match_default_spd(daemon)
')
optional_policy(`
Index: refpolicy/policy/modules/system/init.if
===================================================================
--- refpolicy/policy/modules/system/init.if (revision 2762)
+++ refpolicy/policy/modules/system/init.if (working copy)
@@ -1283,3 +1283,37 @@
files_search_pids($1)
allow $1 initrc_var_run_t:file manage_file_perms;
')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to daemon with a tcp socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_tcp_recvfrom_all_daemons',`
+ gen_require(`
+ attribute daemon;
+ ')
+ corenet_tcp_recvfrom_labeled($1,daemon)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to daemon with a udp socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_udp_recvfrom_all_daemons',`
+ gen_require(`
+ attribute daemon;
+ ')
+ corenet_udp_recvfrom_labeled($1,daemon)
+')
next prev parent reply other threads:[~2008-07-22 10:49 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-07 16:07 security context for SPD entries of labeled IPsec Venkat Yekkirala
2007-11-08 14:22 ` KaiGai Kohei
[not found] ` <473872F8.7000208@ak.jp.nec.com>
[not found] ` <1195055160.13737.33.camel@gorn.columbia.tresys.com>
[not found] ` <473B23F9.4080506@ak.jp.nec.com>
[not found] ` <1195064402.13737.42.camel@gorn.columbia.tresys.com>
2007-11-15 2:51 ` [PATCH] IPsec SPD default security context (Re: security context for SPD entries of labeled IPsec) KaiGai Kohei
2007-11-15 14:26 ` Christopher J. PeBenito
2007-11-15 16:05 ` Paul Moore
2007-11-19 2:21 ` KaiGai Kohei
2007-11-19 18:48 ` Christopher J. PeBenito
2007-11-20 9:14 ` [PATCH] IPsec SPD default security context KaiGai Kohei
2007-11-20 18:34 ` Christopher J. PeBenito
2007-11-21 4:26 ` KaiGai Kohei
2007-11-26 16:38 ` Christopher J. PeBenito
2007-11-29 11:46 ` KaiGai Kohei
2008-01-23 3:00 ` Kohei KaiGai
2008-02-19 7:09 ` [PATCH] Labeled IPsec for PostgreSQL/MySQL/SSHd (Re: [PATCH] IPsec SPD default security context) Kohei KaiGai
2008-02-19 13:35 ` Christopher J. PeBenito
2008-02-20 0:59 ` Kohei KaiGai
2008-02-20 3:37 ` Paul Moore
2008-02-20 5:11 ` Kohei KaiGai
2008-02-20 14:18 ` Paul Moore
2008-02-25 16:13 ` Christopher J. PeBenito
2008-02-25 16:12 ` Christopher J. PeBenito
2008-02-26 2:03 ` Kohei KaiGai
2008-06-24 9:10 ` KaiGai Kohei
2008-06-25 5:59 ` [PATCH] Communication between domains under labeled networks KaiGai Kohei
2008-07-18 13:41 ` Christopher J. PeBenito
2008-07-22 10:49 ` KaiGai Kohei [this message]
2008-07-25 4:10 ` Chris PeBenito
2008-08-15 8:48 ` KaiGai Kohei
2008-09-11 13:31 ` [refpolicy] " Christopher J. PeBenito
2008-07-18 13:34 ` [PATCH] Labeled IPsec for PostgreSQL/MySQL/SSHd (Re: [PATCH] IPsec SPD default security context) Christopher J. PeBenito
2007-12-13 14:00 ` [PATCH] IPsec SPD default security context (Re: security context for SPD entries of labeled IPsec) Ted X Toth
2007-12-13 14:14 ` Christopher J. PeBenito
2007-12-13 14:58 ` Xavier Toth
2007-12-14 19:20 ` Christopher J. PeBenito
2007-12-15 21:10 ` Xavier Toth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4885BB42.4060603@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=DGoeddel@TrustedCS.com \
--cc=cpebenito@tresys.com \
--cc=paul.moore@hp.com \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.