From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 5/7] Add socket and dccp_socket to socket_class_set
Date: Wed, 27 Aug 2014 13:41:00 -0400 [thread overview]
Message-ID: <53FE182C.5090800@tresys.com> (raw)
In-Reply-To: <53FCC247.1020500@m4x.org>
On 8/26/2014 1:22 PM, Nicolas Iooss wrote:
> 2014-08-25 17:07 GMT+02:00 Christopher J. PeBenito:
>> On 8/23/2014 7:35 AM, Nicolas Iooss wrote:
>>> @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
>>> #
>>> # All socket classes.
>>> #
>>> -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
>>> -
>>> +define(`socket_class_set', `{ socket dccp_socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
>>
>> I don't think we want to add socket to this set. We need to be able to
>> detect when there is generic socket class usage, as that means we need a
>> kernel change and a corresponding new object class.
>
> I agree with this point of view, if "socket" class means "generic socket
> which is never used in practice" (and which defines access vectors
> common to all socket classes, as stated on the SELinux wiki [1]).
To be more specific, it refers to sockets that have no defined SELinux
object class. It is a fallback object class.
> Now that you said that "socket" should be used to detect new socket
> class (if I understood correctly), there is something I no longer
> understand in the current policy. Why does contrib/mozilla.te contains
> this? [5]
>
> allow mozilla_t self:socket create_socket_perms;
I did some digging and found that rule was pulled in from the NSA
example policy. I don't know why it's there or if it is still needed.
> A quick "grep :socket -r policy" shows other domains allowed to use this
> kind of socket. Do you know where I could find a good documentation
> about the socket class to understand why these allow rules are needed?
It would depend on the application; you would have to identify what type
of sockets that are being used, and then we'd have to add new object
classes. I'd be happy to remove them if it can be demonstrated that
they are no longer needed.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2014-08-27 17:41 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-23 11:35 [refpolicy] [PATCH 0/7] Set of small patches Nicolas Iooss
2014-08-23 11:35 ` [refpolicy] [PATCH 1/7] Label /usr/lib/networkmanager/ like /usr/lib/NetworkManager/ Nicolas Iooss
2014-08-26 13:15 ` Christopher J. PeBenito
2014-08-23 11:35 ` [refpolicy] [PATCH 2/7] Label /var/spool/postfix/dev/ files Nicolas Iooss
2014-08-25 15:04 ` Christopher J. PeBenito
2014-08-26 16:14 ` Nicolas Iooss
2014-09-17 8:00 ` Russell Coker
2014-08-23 11:35 ` [refpolicy] [PATCH 3/7] Fix typo in fs_getattr_all_fs description Nicolas Iooss
2014-08-26 13:15 ` Christopher J. PeBenito
2014-08-23 11:35 ` [refpolicy] [PATCH 4/7] Add attribute file_type to pseudo filesystem types Nicolas Iooss
2014-08-26 12:20 ` Christopher J. PeBenito
2014-08-26 14:53 ` Dominick Grift
2014-08-27 21:51 ` Nicolas Iooss
2014-08-28 7:06 ` Dominick Grift
2014-08-28 9:39 ` Dominick Grift
2014-08-29 22:26 ` Nicolas Iooss
2014-09-12 18:14 ` Christopher J. PeBenito
2014-08-23 11:35 ` [refpolicy] [PATCH 5/7] Add socket and dccp_socket to socket_class_set Nicolas Iooss
2014-08-25 15:07 ` Christopher J. PeBenito
2014-08-26 17:22 ` Nicolas Iooss
2014-08-27 17:41 ` Christopher J. PeBenito [this message]
2014-08-23 11:35 ` [refpolicy] [PATCH 6/7] Add ioctl and lock to manage_lnk_file_perms Nicolas Iooss
2014-08-26 13:15 ` Christopher J. PeBenito
2014-08-23 11:35 ` [refpolicy] [PATCH 7/7] Label (/var)?/tmp/systemd-private-.../tmp like /tmp Nicolas Iooss
2014-08-26 13:15 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53FE182C.5090800@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.