From: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
To: James Morris <jmorris@namei.org>
Cc: netdev@vger.kernel.org, "David S. Miller" <davem@davemloft.net>,
tgraf@suug.ch, Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: Refactor Netlink connector?
Date: Tue, 30 May 2006 23:09:06 +0400 [thread overview]
Message-ID: <20060530190906.GA3128@2ka.mipt.ru> (raw)
In-Reply-To: <Pine.LNX.4.64.0605301453360.28036@d.namei>
On Tue, May 30, 2006 at 02:58:11PM -0400, James Morris (jmorris@namei.org) wrote:
> > Apache still can setup routes using ioctl or execve("ip route add/route
> > add");
>
> Depends on the policy. You can specify which types of files/sockets
> apache can perform ioctl on, and whether it can execve 'ip', and if so,
> which security context that runs in, and then whether that security
> context can add routes.
With applications like phpmmyadmin apache must be allowed to perform such
operations no matter hacked it is or not...
> Security in SELinux is not based on the name of the application, it's
> based on the security label bound to the binary being executed.
I know how selinux works.
I see your point, selinux is supposed to control each datflow even if it
sometimes is not that good idea.
> > Anyway you can easily add lsm hook into both sending/receiving pathes in
> > connector code, it fully controls the traffic before it reached socket
> > queue or user's callback.
>
> There are already LSM hooks which allow this, it's a matter of not wanting
> to have to parse arbitrarily implemented Netlink protocols to determine
> what the messages are.
I mean you can control messages based on cn_mcg->id structure, since
cn_msg is a header for all connector messages.
> - James
> --
> James Morris
> <jmorris@namei.org>
--
Evgeniy Polyakov
next prev parent reply other threads:[~2006-05-30 19:09 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-26 20:04 Refactor Netlink connector? James Morris
2006-05-26 23:06 ` Patrick McHardy
2006-05-27 13:46 ` Evgeniy Polyakov
2006-05-27 16:45 ` James Morris
2006-05-27 17:21 ` James Morris
2006-05-28 15:33 ` Evgeniy Polyakov
2006-05-29 6:36 ` David Miller
2006-05-29 12:11 ` jamal
2006-05-30 14:22 ` James Morris
2006-05-31 12:00 ` jamal
2006-05-31 13:09 ` Thomas Graf
2006-05-30 14:18 ` James Morris
2006-05-30 18:03 ` Evgeniy Polyakov
2006-05-30 18:58 ` James Morris
2006-05-30 19:09 ` Evgeniy Polyakov [this message]
2006-05-31 3:00 ` Thomas Graf
2006-05-31 12:20 ` jamal
2006-05-31 13:06 ` Thomas Graf
2006-05-31 13:22 ` jamal
2006-05-31 15:42 ` James Morris
2006-06-01 10:45 ` Thomas Graf
2006-06-01 14:24 ` James Morris
2006-06-14 12:36 ` jamal
2006-06-14 15:19 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060530190906.GA3128@2ka.mipt.ru \
--to=johnpol@2ka.mipt.ru \
--cc=davem@davemloft.net \
--cc=jmorris@namei.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=tgraf@suug.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).