* [refpolicy] kernel_corenetwork.te.in.patch
@ 2009-03-02 22:27 Daniel J Walsh
0 siblings, 0 replies; 12+ messages in thread
From: Daniel J Walsh @ 2009-03-02 22:27 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_corenetwork.te.in.patch
Add definitions for
afs_client, agentx, certmaster, dccm, festival, flash, ftps, kismet, kprop, munin, pingd, pki*, prelude, speech, streaming, virt
Add additional ports for dhcpc, snmp, tor, whois
A range of ports for cyphesis, http_cache, vnc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmsXTwACgkQrlYvE4MpobMHoQCdEgijepdmVYuDq1M9K1jRUf/N
t1MAn0MRc/eOTnkXBMNtC3Nu1b+X5po3
=UZdw
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_corenetwork.te.in.patch
@ 2009-03-24 13:23 Daniel J Walsh
0 siblings, 0 replies; 12+ messages in thread
From: Daniel J Walsh @ 2009-03-24 13:23 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_corenetwork.te.in.patch
Lots of additional port interfaces.
Need aliases for node_t
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_corenetwork.te.in.patch
@ 2009-05-21 15:15 Daniel J Walsh
0 siblings, 0 replies; 12+ messages in thread
From: Daniel J Walsh @ 2009-05-21 15:15 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_corenetwork.te.in.patch
Lots of new port types and ports modifies to include addition port numbers.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_corenetwork.te.in.patch
@ 2009-11-12 20:57 Daniel J Walsh
0 siblings, 0 replies; 12+ messages in thread
From: Daniel J Walsh @ 2009-11-12 20:57 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/kernel_corenetwork.te.in.patch
Lots of new ports. For several domains, also split out the asterisk port 5060 to a sid port
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_corenetwork.te.in.patch
@ 2010-02-23 21:34 Daniel J Walsh
2010-03-05 18:47 ` Christopher J. PeBenito
0 siblings, 1 reply; 12+ messages in thread
From: Daniel J Walsh @ 2010-02-23 21:34 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F13/kernel_corenetwork.te.in.patch
Still a few extra network ports although less then there used to be.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_corenetwork.te.in.patch
2010-02-23 21:34 Daniel J Walsh
@ 2010-03-05 18:47 ` Christopher J. PeBenito
0 siblings, 0 replies; 12+ messages in thread
From: Christopher J. PeBenito @ 2010-03-05 18:47 UTC (permalink / raw)
To: refpolicy
On Tue, 2010-02-23 at 16:34 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F13/kernel_corenetwork.te.in.patch
>
> Still a few extra network ports although less then there used to be.
Merged the changes to existing ports now. The new ports will be added
when the related change in the calling policy is merged.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_corenetwork.te.in.patch
@ 2010-06-02 20:18 Daniel J Walsh
2010-06-04 13:52 ` Christopher J. PeBenito
0 siblings, 1 reply; 12+ messages in thread
From: Daniel J Walsh @ 2010-06-02 20:18 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_corenetwork.te.in.patch
tun_tap_device is an mls trusted object
Lots of new port definitions.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_corenetwork.te.in.patch
2010-06-02 20:18 Daniel J Walsh
@ 2010-06-04 13:52 ` Christopher J. PeBenito
2010-06-04 14:53 ` Daniel J Walsh
0 siblings, 1 reply; 12+ messages in thread
From: Christopher J. PeBenito @ 2010-06-04 13:52 UTC (permalink / raw)
To: refpolicy
On Wed, 2010-06-02 at 16:18 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_corenetwork.te.in.patch
>
> tun_tap_device is an mls trusted object
Why? This seems wrong to me.
> Lots of new port definitions.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_corenetwork.te.in.patch
2010-06-04 13:52 ` Christopher J. PeBenito
@ 2010-06-04 14:53 ` Daniel J Walsh
2010-06-04 15:43 ` Christopher J. PeBenito
0 siblings, 1 reply; 12+ messages in thread
From: Daniel J Walsh @ 2010-06-04 14:53 UTC (permalink / raw)
To: refpolicy
On 06/04/2010 09:52 AM, Christopher J. PeBenito wrote:
> On Wed, 2010-06-02 at 16:18 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_corenetwork.te.in.patch
>>
>> tun_tap_device is an mls trusted object
>
> Why? This seems wrong to me.
>
>> Lots of new port definitions.
>
I think virtual machines at different levels need to talk to this device.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_corenetwork.te.in.patch
2010-06-04 14:53 ` Daniel J Walsh
@ 2010-06-04 15:43 ` Christopher J. PeBenito
2010-06-04 20:32 ` Daniel J Walsh
0 siblings, 1 reply; 12+ messages in thread
From: Christopher J. PeBenito @ 2010-06-04 15:43 UTC (permalink / raw)
To: refpolicy
On Fri, 2010-06-04 at 10:53 -0400, Daniel J Walsh wrote:
> On 06/04/2010 09:52 AM, Christopher J. PeBenito wrote:
> > On Wed, 2010-06-02 at 16:18 -0400, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_corenetwork.te.in.patch
> >>
> >> tun_tap_device is an mls trusted object
> >
> > Why? This seems wrong to me.
> I think virtual machines at different levels need to talk to this device.
But there are several of these devices. Making it trusted means that
theres no separation between the networks, which seems contrary to what
a MLS system would want. More likely, the MLS label needs to be changed
as needed.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_corenetwork.te.in.patch
2010-06-04 15:43 ` Christopher J. PeBenito
@ 2010-06-04 20:32 ` Daniel J Walsh
[not found] ` <20100607093019.GB19864@redhat.com>
0 siblings, 1 reply; 12+ messages in thread
From: Daniel J Walsh @ 2010-06-04 20:32 UTC (permalink / raw)
To: refpolicy
On 06/04/2010 11:43 AM, Christopher J. PeBenito wrote:
> On Fri, 2010-06-04 at 10:53 -0400, Daniel J Walsh wrote:
>> On 06/04/2010 09:52 AM, Christopher J. PeBenito wrote:
>>> On Wed, 2010-06-02 at 16:18 -0400, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_corenetwork.te.in.patch
>>>>
>>>> tun_tap_device is an mls trusted object
>>>
>>> Why? This seems wrong to me.
>
>> I think virtual machines at different levels need to talk to this device.
>
> But there are several of these devices. Making it trusted means that
> theres no separation between the networks, which seems contrary to what
> a MLS system would want. More likely, the MLS label needs to be changed
> as needed.
>
I think the kernel will take care of the isolation.
Eric Dan, Is tuntap device per qemu instance?
^ permalink raw reply [flat|nested] 12+ messages in thread
* [refpolicy] kernel_corenetwork.te.in.patch
[not found] ` <20100607093019.GB19864@redhat.com>
@ 2010-06-07 12:45 ` Christopher J. PeBenito
0 siblings, 0 replies; 12+ messages in thread
From: Christopher J. PeBenito @ 2010-06-07 12:45 UTC (permalink / raw)
To: refpolicy
On Mon, 2010-06-07 at 10:30 +0100, Daniel P. Berrange wrote:
> On Fri, Jun 04, 2010 at 04:32:25PM -0400, Daniel J Walsh wrote:
> > On 06/04/2010 11:43 AM, Christopher J. PeBenito wrote:
> > >On Fri, 2010-06-04 at 10:53 -0400, Daniel J Walsh wrote:
> > >>On 06/04/2010 09:52 AM, Christopher J. PeBenito wrote:
> > >>>On Wed, 2010-06-02 at 16:18 -0400, Daniel J Walsh wrote:
> > >>>>http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_corenetwork.te.in.patch
> > >>>>
> > >>>>tun_tap_device is an mls trusted object
> > >>>
> > >>>Why? This seems wrong to me.
> > >
> > >>I think virtual machines at different levels need to talk to this device.
> > >
> > >But there are several of these devices. Making it trusted means that
> > >theres no separation between the networks, which seems contrary to what
> > >a MLS system would want. More likely, the MLS label needs to be changed
> > >as needed.
> > >
> > I think the kernel will take care of the isolation.
> >
> > Eric Dan, Is tuntap device per qemu instance?
>
> Yes, every guest NIC gets associated with its own TAP device. libvirtd
> opens /dev/net/tun. This creates a new tap devices 'vnet0', 'vnet1',
> 'vnet2' etc. The file descriptor for each NIC's tap device is passed to
> the QEMU process when it starts, or using SCM_RIGHTS for NIC hotplug
> to an existing QEMU.
This is my exact point. You're trusting libvirtd to handle all that
correctly. Nothing stops qemu from using the wrong device. This just
reinforces my thinking that it is _not_ a trusted device.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2010-06-07 12:45 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-03-02 22:27 [refpolicy] kernel_corenetwork.te.in.patch Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2009-03-24 13:23 Daniel J Walsh
2009-05-21 15:15 Daniel J Walsh
2009-11-12 20:57 Daniel J Walsh
2010-02-23 21:34 Daniel J Walsh
2010-03-05 18:47 ` Christopher J. PeBenito
2010-06-02 20:18 Daniel J Walsh
2010-06-04 13:52 ` Christopher J. PeBenito
2010-06-04 14:53 ` Daniel J Walsh
2010-06-04 15:43 ` Christopher J. PeBenito
2010-06-04 20:32 ` Daniel J Walsh
[not found] ` <20100607093019.GB19864@redhat.com>
2010-06-07 12:45 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.