From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] MLS unix socket sendto/connectto
Date: Wed, 10 Nov 2010 09:54:56 -0500 [thread overview]
Message-ID: <4CDAB240.4010901@tresys.com> (raw)
In-Reply-To: <170D6ABBBA770349AA49582A86FCED150322F421@HAVOC.tcs-sec.com>
I think I would go with mlstrustedsocket, in case we end up needing it
for other socket types.
On 11/10/10 09:49, chanson at TrustedCS.com wrote:
> I'm actually thinking we want to have a new attribute, like
> mlstrustedsocket or mlstrustedunixsocket, to replace the
> mlstrustedobject on these constraints. I agree with the earlier comments
> that mlstrustedobject doesn't seem right for this constraint. I would
> say this because the most of the time the "object" of these unix domain
> sockets constraints is a process (domain) which is not desired to be a
> trusted object.
>
> This would simplify your policy changes as well.
>
> -Chad
>
>> -----Original Message-----
>> From: Chad Hanson
>> Sent: Friday, November 05, 2010 9:54 AM
>> To: 'Christopher J. PeBenito'; Paul Moore
>> Cc: Stephen Smalley; Daniel J Walsh; refpolicy at oss.tresys.com
>> Subject: RE: MLS unix socket sendto/connectto
>>
>> Thanks, Chris for the clarification. I tend to agree that we
>> should have something different as we don't want this on a
>> process per your proc pid example. Let me think about this a
>> little bit.
>>
>> -Chad
>>
>>> -----Original Message-----
>>> From: Christopher J. PeBenito [mailto:cpebenito at tresys.com]
>>> Sent: Friday, November 05, 2010 8:44 AM
>>> To: Paul Moore
>>> Cc: Stephen Smalley; Daniel J Walsh; Chad Hanson;
>>> refpolicy at oss.tresys.com
>>> Subject: Re: MLS unix socket sendto/connectto
>>>
>>> On 11/05/10 08:39, Paul Moore wrote:
>>>> On Fri, 2010-11-05 at 08:04 -0400, Christopher J. PeBenito wrote:
>>>>> On 11/04/10 10:46, Paul Moore wrote:
>>>>>> On Thu, 2010-11-04 at 09:19 -0400, Christopher J.
>> PeBenito wrote:
>>>>>>> The current MLS constraints for unix socket
>> sendto/connectto are:
>>>>>>>
>>>>>>> # UNIX domain socket ops
>>>>>>> mlsconstrain unix_stream_socket connectto
>>>>>>> (( l1 eq l2 ) or
>>>>>>> (( t1 == mlsnetwriteranged ) and ( l1 dom l2
>> ) and ( l1
>>>>>>> domby
>>>>>>> h2 )) or
>>>>>>> (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 )
>> and ( l1
>>>>>>> domby l2
>>>>>>> )) or
>>>>>>> ( t1 == mlsnetwrite ) or
>>>>>>> ( t2 == mlstrustedobject ));
>>>>>>>
>>>>>>> mlsconstrain unix_dgram_socket sendto
>>>>>>> (( l1 eq l2 ) or
>>>>>>> (( t1 == mlsnetwriteranged ) and ( l1 dom l2
>> ) and ( l1
>>>>>>> domby
>>>>>>> h2 )) or
>>>>>>> (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 )
>> and ( l1
>>>>>>> domby l2
>>>>>>> )) or
>>>>>>> ( t1 == mlsnetwrite ) or
>>>>>>> ( t2 == mlstrustedobject ));
>>>>>>>
>>>>>>> These were added earlier this year (except the last t2
>> exception
>>>>>>> which was added more recently). My concern is with the
>>> mlstrustedobject part.
>>>>>>> We need an exception like this to handle domains such
>>> as syslog,
>>>>>>> so they can receive messages from any level. But I
>>> think we need a
>>>>>>> different attribute since domain types are used for
>> the process
>>>>>>> itself and also it's /proc/pid files, so by making the
>> domain a
>>>>>>> trusted object, the /proc/pid become trusted objects
>>> too. Opinions?
>>>>>>
>>>>>> Is there a reason why we don't have transition rules for
>>> things like
>>>>>> sockets? Granted, they are probably only useful for unix
>>> sockets,
>>>>>> but I think they could come in handy for things like this
>>> where we
>>>>>> don't want to start messing around with adding
>> setsockcreatecon()
>>>>>> calls to the code.
>>>>>
>>>>> I don't understand; how would a transition help here?
>>>>
>>>> I was thinking that a type transition could be used when
>>> /dev/log was
>>>> created so that it could be created with a new type which
>> we could
>>>> assign to the mlstrustedobject attribute.
>>>
>>> Wrong check. The check on /dev/log is a sock_file check
>> (eg foo_t to
>>> devlog_t). The above constraints are for foo_t to syslogd_t, as an
>>> example.
>>>
>>>
>>>
>>> --
>>> Chris PeBenito
>>> Tresys Technology, LLC
>>> www.tresys.com | oss.tresys.com
>>>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2010-11-10 14:54 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-04 13:19 [refpolicy] MLS unix socket sendto/connectto Christopher J. PeBenito
2010-11-04 14:46 ` Paul Moore
2010-11-05 12:04 ` Christopher J. PeBenito
2010-11-05 12:39 ` Paul Moore
2010-11-05 12:44 ` Christopher J. PeBenito
2010-11-05 12:49 ` Paul Moore
2010-11-05 13:53 ` chanson at TrustedCS.com
2010-11-10 4:45 ` HarryCiao
2010-11-10 15:06 ` Christopher J. PeBenito
2010-11-10 14:49 ` chanson at TrustedCS.com
2010-11-10 14:54 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CDAB240.4010901@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.