From: Paul Moore <pmoore@redhat.com>
To: Eric Paris <eparis@parisplace.org>
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
Linux Netdev List <netdev@vger.kernel.org>,
LSM List <linux-security-module@vger.kernel.org>,
SE-Linux <selinux@tycho.nsa.gov>,
jasowang@redhat.com
Subject: Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices
Date: Mon, 10 Dec 2012 17:21:44 -0500 [thread overview]
Message-ID: <2030873.8I84M3f4cr@sifl> (raw)
In-Reply-To: <CACLa4pu6UCpzKfscVoEPzLySHitta1yTqPa7cA0d=xUj5ws6HA@mail.gmail.com>
On Monday, December 10, 2012 01:42:12 PM Eric Paris wrote:
> Let me abstract a little here Paul. Lets say user A starts an
> unclassified process and a top secret process. SELinux policy darn
> well better be able to enforce that they can not attach to the same
> tun.
>
> Am I missing something here?
Relax, all the SELinux enforced separation still exists, and works. We're
just fixing the LSM/SELinux stuff that was broken with the multiqueue addition
and adding a new SELinux permission to control access to the new queue
command.
What we are currently discussing is DAC only. While Michael have different
opinions on how to solve the DAC issues, we agree that SELinux works
correctly.
--
paul moore
security and virtualization @ redhat
next prev parent reply other threads:[~2012-12-10 22:21 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-05 20:25 [RFC PATCH v2 0/3] Fix some multiqueue TUN problems Paul Moore
2012-12-05 20:26 ` [RFC PATCH v2 1/3] tun: correctly report an error in tun_flow_init() Paul Moore
2012-12-06 10:31 ` Jason Wang
2012-12-06 15:46 ` Paul Moore
2012-12-05 20:26 ` [RFC PATCH v2 2/3] selinux: add the "create_queue" permission to the "tun_socket" class Paul Moore
2012-12-05 20:26 ` [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices Paul Moore
2012-12-06 10:29 ` Jason Wang
2012-12-06 15:36 ` Paul Moore
2012-12-07 5:29 ` Jason Wang
2012-12-06 10:33 ` Michael S. Tsirkin
2012-12-06 13:51 ` Jason Wang
2012-12-06 14:12 ` Michael S. Tsirkin
2012-12-06 15:46 ` Paul Moore
2012-12-06 16:12 ` Michael S. Tsirkin
2012-12-06 16:56 ` Paul Moore
2012-12-06 20:57 ` Michael S. Tsirkin
2012-12-06 21:09 ` Paul Moore
2012-12-07 12:25 ` Michael S. Tsirkin
2012-12-10 17:04 ` Paul Moore
2012-12-10 17:26 ` Michael S. Tsirkin
2012-12-10 17:33 ` Paul Moore
2012-12-10 17:50 ` Michael S. Tsirkin
2012-12-10 18:42 ` Eric Paris
2012-12-10 22:21 ` Paul Moore [this message]
2012-12-10 22:43 ` Paul Moore
2012-12-11 6:41 ` Jason Wang
2012-12-12 9:10 ` Michael S. Tsirkin
2012-12-07 5:41 ` Jason Wang
2012-12-12 9:22 ` Michael S. Tsirkin
2012-12-12 18:49 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2030873.8I84M3f4cr@sifl \
--to=pmoore@redhat.com \
--cc=eparis@parisplace.org \
--cc=jasowang@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mst@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).