Re: Socket and inode label consistency

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Casey Schaufler <casey@schaufler-ca.com>
To: Trent Jaeger <tjaeger@cse.psu.edu>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
	Paul Moore <paul.moore@hp.com>,
	selinux@tycho.nsa.gov, James Morris <jmorris@namei.org>,
	Eric Paris <eparis@parisplace.org>
Subject: Re: Socket and inode label consistency
Date: Wed, 27 Aug 2008 15:53:19 -0700	[thread overview]
Message-ID: <48B5DADF.9060005@schaufler-ca.com> (raw)
In-Reply-To: <4A385C00-E89F-43D3-8ACA-E7B27AC97B5E@cse.psu.edu>

Trent Jaeger wrote:
>
> On Aug 27, 2008, at 4:06 PM, Casey Schaufler wrote:
>
>> Stephen Smalley wrote:
>>> ...
>>>
>>> You may be right about setxattr not being viable due to it being an
>>> inode op.  setsockopt may be the right approach there if we need to
>>> support relabeling of sockets at all.
>>>
>>>
>>
>> Hum. fsetxattr() works for Smack. The only thing that I can't do
>> is switch from labeled domains to unlabeled ones. So long as I'm
>> living "within CIPSO" it works great. Paul did a very good job on
>> that. If the intent is to change the MLS value, which is very useful
>> for label-aware service providers like CMW style X11 server or a
>> mail server, there oughtn't be a problem.
>>
>> Yes, it would be weird to change the label on a TCP connection
>> midstream, but not unheard of. If you need an example think of
>> what you might want to do with a diskless boot, or some of the
>> less sophisticated clustering schemes. For UDP examples should
>> be obvious to the casual observer, and a couple are cited above.
>>
>> Or am I missing something (again)?
>
> It sets the socket's inode's security context, but not the sock's context.

Would I be going too far out on a limb to suggest you change the code
so that it changes both? I know that SELinux would require work
to figure out what context to put on the sock based on the context
of the task, socket inode, sock, port and address family, still
that shouldn't be an insurmountable obstacle. Especially if you
limit changes to the MLS portion of the label.

Paul points out some edge case conditions for TCP that might make
really supporting that protocol iffy. True enough. I wouldn't see
changing labels on a TCP connection showing up in any but very low
level system sort of uses where you need to be extraordinarily
careful in any case. I don't see those dangers as a real stopper.

> The former is used to authorize access to the socket api.  The latter 
> is what is used to authorize packet access (e.g., labeled ipsec and 
> seclabel).  So, you end up with the two being different which is a 
> potential problem.
>
> Regards,
> Trent.
> ----------------------------------------------
> Trent Jaeger, Associate Professor
> Pennsylvania State University, CSE Dept
> 346A IST Bldg, University Park, PA 16802
> Email: tjaeger@cse.psu.edu
> Ph: (814) 865-1042, Fax: (814) 865-3176
>
>
>
>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2008-08-27 22:53 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-08-27  0:50 Socket and inode label consistency Trent Jaeger
2008-08-27 11:57 ` Stephen Smalley
2008-08-27 15:49   ` Paul Moore
2008-08-27 18:08     ` Trent Jaeger
2008-08-27 18:05       ` Eric Paris
2008-08-27 18:20         ` Trent Jaeger
2008-08-27 18:34           ` Paul Moore
2008-08-27 20:15             ` Trent Jaeger
2008-08-27 18:16       ` Stephen Smalley
2008-08-27 18:32         ` Trent Jaeger
2008-08-27 20:06         ` Casey Schaufler
2008-08-27 20:32           ` Paul Moore
2008-08-27 21:38           ` Trent Jaeger
2008-08-27 22:53             ` Casey Schaufler [this message]
2008-08-28 12:13               ` Stephen Smalley
2008-08-28 15:20                 ` Trent Jaeger
2008-08-29  4:22                   ` Casey Schaufler
2008-08-29 12:13                     ` Stephen Smalley
2008-08-29 17:34                       ` Trent Jaeger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48B5DADF.9060005@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=eparis@parisplace.org \
    --cc=jmorris@namei.org \
    --cc=paul.moore@hp.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    --cc=tjaeger@cse.psu.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.