* [PATCH 0/3] labeled-ipsec: Repost patchset with updates [Originally: mlsxfrm: Various Fixes]
@ 2006-11-08 23:03 Venkat Yekkirala
2006-11-09 6:30 ` James Morris
2006-11-11 16:22 ` Joshua Brindle
0 siblings, 2 replies; 7+ messages in thread
From: Venkat Yekkirala @ 2006-11-08 23:03 UTC (permalink / raw)
To: netdev; +Cc: selinux, jmorris, sds
This patchset is against davem's net-2.6.git. Please apply to 2.6.19.
The following are the changes since the previous post of this patchset:
1. Separate BUG_ON usage per Eric's suggestion.
2. Replace security_sid_compare with a simple sid compare check per
a suggestion from Paul/Stephen.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 0/3] labeled-ipsec: Repost patchset with updates [Originally: mlsxfrm: Various Fixes]
2006-11-08 23:03 [PATCH 0/3] labeled-ipsec: Repost patchset with updates [Originally: mlsxfrm: Various Fixes] Venkat Yekkirala
@ 2006-11-09 6:30 ` James Morris
2006-11-09 6:42 ` David Miller
2006-11-09 14:14 ` Venkat Yekkirala
2006-11-11 16:22 ` Joshua Brindle
1 sibling, 2 replies; 7+ messages in thread
From: James Morris @ 2006-11-09 6:30 UTC (permalink / raw)
To: Venkat Yekkirala; +Cc: netdev, selinux, Stephen Smalley
On Wed, 8 Nov 2006, Venkat Yekkirala wrote:
> This patchset is against davem's net-2.6.git. Please apply to 2.6.19.
>
> The following are the changes since the previous post of this patchset:
>
> 1. Separate BUG_ON usage per Eric's suggestion.
>
> 2. Replace security_sid_compare with a simple sid compare check per
> a suggestion from Paul/Stephen.
Applied to:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-net-2.6.20.git
I think this should be aimed at 2.6.20, because we are at the last or
second-last -rc currently, and I don't think these fixes are urgent enough
to justify the risk at this stage. Also, I think this code needs more
testing, and more general progress towards code completion.
- James
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 0/3] labeled-ipsec: Repost patchset with updates [Originally: mlsxfrm: Various Fixes]
2006-11-09 6:30 ` James Morris
@ 2006-11-09 6:42 ` David Miller
2006-11-09 14:14 ` Venkat Yekkirala
1 sibling, 0 replies; 7+ messages in thread
From: David Miller @ 2006-11-09 6:42 UTC (permalink / raw)
To: jmorris; +Cc: vyekkirala, netdev, selinux, sds
From: James Morris <jmorris@namei.org>
Date: Thu, 9 Nov 2006 01:30:05 -0500 (EST)
> I think this should be aimed at 2.6.20, because we are at the last or
> second-last -rc currently, and I don't think these fixes are urgent enough
> to justify the risk at this stage. Also, I think this code needs more
> testing, and more general progress towards code completion.
This is the way I feel too.
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: [PATCH 0/3] labeled-ipsec: Repost patchset with updates [Originally: mlsxfrm: Various Fixes]
2006-11-09 6:30 ` James Morris
2006-11-09 6:42 ` David Miller
@ 2006-11-09 14:14 ` Venkat Yekkirala
1 sibling, 0 replies; 7+ messages in thread
From: Venkat Yekkirala @ 2006-11-09 14:14 UTC (permalink / raw)
To: 'James Morris', Venkat Yekkirala; +Cc: netdev, selinux, Stephen Smalley
> I think this should be aimed at 2.6.20, because we are at the last or
> second-last -rc currently, and I don't think these fixes are
> urgent enough
> to justify the risk at this stage.
That makes sense. Thanks.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 0/3] labeled-ipsec: Repost patchset with updates [Originally: mlsxfrm: Various Fixes]
2006-11-08 23:03 [PATCH 0/3] labeled-ipsec: Repost patchset with updates [Originally: mlsxfrm: Various Fixes] Venkat Yekkirala
2006-11-09 6:30 ` James Morris
@ 2006-11-11 16:22 ` Joshua Brindle
2006-11-13 15:42 ` Venkat Yekkirala
1 sibling, 1 reply; 7+ messages in thread
From: Joshua Brindle @ 2006-11-11 16:22 UTC (permalink / raw)
To: Venkat Yekkirala; +Cc: netdev, selinux, jmorris, sds
Venkat Yekkirala wrote:
> This patchset is against davem's net-2.6.git. Please apply to 2.6.19.
>
> The following are the changes since the previous post of this patchset:
>
> 1. Separate BUG_ON usage per Eric's suggestion.
>
> 2. Replace security_sid_compare with a simple sid compare check per
> a suggestion from Paul/Stephen.
>
I pulled in the lspp respin kernels and am checking the labeling
behavior now so I should have a full response later, however I ran into
one unexpected thing immediately on bootup with the new kernel:
audit(1163061323.188:197): avc: denied { send } for pid=1676
comm="modprobe" daddr=ff02:0000:0000:0000:0000:0000:0000:0016 netif=eth0
scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1163061343.335:204): avc: denied { send } for pid=1804
comm="avahi-daemon" saddr=fe80:0000:0000:0000:020c:29ff:fe72:2dd1
src=5353 daddr=ff02:0000:0000:0000:0000:0000:0000:00fb dest=5353
netif=eth0 scontext=system_u:system_r:avahi_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1163061343.338:205): avc: denied { recv } for pid=1804
comm="avahi-daemon" saddr=fe80:0000:0000:0000:020c:29ff:fe72:2dd1
src=5353 daddr=ff02:0000:0000:0000:0000:0000:0000:00fb dest=5353
netif=eth0 scontext=system_u:system_r:avahi_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1163061346.139:210): avc: denied { send } for pid=1856
comm="smartd-conf.py" saddr=fe80:0000:0000:0000:020c:29ff:fe72:2dd1
daddr=ff02:0000:0000:0000:0000:0000:0000:0016 netif=eth0
scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
These denials come after iptables-restore sets up labeling in the mangle
table so I'm not sure why they are unlabeled.. They also don't say which
port they were using, perhaps is it a different protocol that our packet
labeling isn't covering yet? Is there any way we could get protocol
information in the denial?
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: [PATCH 0/3] labeled-ipsec: Repost patchset with updates [Originally: mlsxfrm: Various Fixes]
2006-11-11 16:22 ` Joshua Brindle
@ 2006-11-13 15:42 ` Venkat Yekkirala
2006-11-13 17:45 ` Joshua Brindle
0 siblings, 1 reply; 7+ messages in thread
From: Venkat Yekkirala @ 2006-11-13 15:42 UTC (permalink / raw)
To: 'Joshua Brindle'; +Cc: netdev, selinux, jmorris, sds
> I pulled in the lspp respin kernels and am checking the labeling
> behavior now so I should have a full response later, however
> I ran into
> one unexpected thing immediately on bootup with the new kernel:
Just FYI- The labeled-ipsec patch doesn't affect or influence the
packet class handling in any manner.
>
> audit(1163061323.188:197): avc: denied { send } for pid=1676
> comm="modprobe" daddr=ff02:0000:0000:0000:0000:0000:0000:0016
> netif=eth0
> scontext=system_u:system_r:kernel_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
> audit(1163061343.335:204): avc: denied { send } for pid=1804
> comm="avahi-daemon" saddr=fe80:0000:0000:0000:020c:29ff:fe72:2dd1
> src=5353 daddr=ff02:0000:0000:0000:0000:0000:0000:00fb dest=5353
> netif=eth0 scontext=system_u:system_r:avahi_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
> audit(1163061343.338:205): avc: denied { recv } for pid=1804
> comm="avahi-daemon" saddr=fe80:0000:0000:0000:020c:29ff:fe72:2dd1
> src=5353 daddr=ff02:0000:0000:0000:0000:0000:0000:00fb dest=5353
> netif=eth0 scontext=system_u:system_r:avahi_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
> audit(1163061346.139:210): avc: denied { send } for pid=1856
> comm="smartd-conf.py" saddr=fe80:0000:0000:0000:020c:29ff:fe72:2dd1
> daddr=ff02:0000:0000:0000:0000:0000:0000:0016 netif=eth0
> scontext=system_u:system_r:kernel_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
>
> These denials come after iptables-restore sets up labeling in
> the mangle
> table so I'm not sure why they are unlabeled..
Could you list the mangle table rules and see that the above IPv6
addresses are covered (i.e. labeled appropriately) or otherwise that
your policy allows kernel_t to receive all packets (may or may not be
desired/good, just thinking out loud).
> They also
> don't say which
> port they were using,
The port info is currently available only for tcp/udp packets.
> perhaps is it a different protocol that
> our packet
> labeling isn't covering yet?
James can perhaps comment on this better, but it *should* be covered
to the extent that you are able to define mangle table/secmark rules
for them.
> Is there any way we could get protocol
> information in the denial?
This is possible with kernel changes, specifically by adding protocol
to avc_audit_data. If Stephen agrees I can look into doing it.
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: [PATCH 0/3] labeled-ipsec: Repost patchset with updates [Originally: mlsxfrm: Various Fixes]
2006-11-13 15:42 ` Venkat Yekkirala
@ 2006-11-13 17:45 ` Joshua Brindle
0 siblings, 0 replies; 7+ messages in thread
From: Joshua Brindle @ 2006-11-13 17:45 UTC (permalink / raw)
To: vyekkirala; +Cc: netdev, selinux, jmorris, sds
> From: Venkat Yekkirala [mailto:vyekkirala@trustedcs.com]
>
> > I pulled in the lspp respin kernels and am checking the labeling
> > behavior now so I should have a full response later, however I ran
> > into one unexpected thing immediately on bootup with the new kernel:
>
> Just FYI- The labeled-ipsec patch doesn't affect or influence
> the packet class handling in any manner.
>
> >
> > audit(1163061323.188:197): avc: denied { send } for pid=1676
> > comm="modprobe" daddr=ff02:0000:0000:0000:0000:0000:0000:0016
> > netif=eth0
> > scontext=system_u:system_r:kernel_t:s0
> > tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
> > audit(1163061343.335:204): avc: denied { send } for pid=1804
> > comm="avahi-daemon" saddr=fe80:0000:0000:0000:020c:29ff:fe72:2dd1
> > src=5353 daddr=ff02:0000:0000:0000:0000:0000:0000:00fb dest=5353
> > netif=eth0 scontext=system_u:system_r:avahi_t:s0
> > tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
> > audit(1163061343.338:205): avc: denied { recv } for pid=1804
> > comm="avahi-daemon" saddr=fe80:0000:0000:0000:020c:29ff:fe72:2dd1
> > src=5353 daddr=ff02:0000:0000:0000:0000:0000:0000:00fb dest=5353
> > netif=eth0 scontext=system_u:system_r:avahi_t:s0
> > tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
> > audit(1163061346.139:210): avc: denied { send } for pid=1856
> > comm="smartd-conf.py" saddr=fe80:0000:0000:0000:020c:29ff:fe72:2dd1
> > daddr=ff02:0000:0000:0000:0000:0000:0000:0016 netif=eth0
> > scontext=system_u:system_r:kernel_t:s0
> > tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
> >
> > These denials come after iptables-restore sets up labeling in the
> > mangle table so I'm not sure why they are unlabeled..
>
> Could you list the mangle table rules and see that the above
> IPv6 addresses are covered (i.e. labeled appropriately) or
> otherwise that your policy allows kernel_t to receive all
> packets (may or may not be desired/good, just thinking out loud).
>
Oops, I don't have ipv6 rules (refpolicy doesn't generate them). I'm not
even sure why it was on since I don't use ipv6 at all..
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2006-11-13 17:45 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-08 23:03 [PATCH 0/3] labeled-ipsec: Repost patchset with updates [Originally: mlsxfrm: Various Fixes] Venkat Yekkirala
2006-11-09 6:30 ` James Morris
2006-11-09 6:42 ` David Miller
2006-11-09 14:14 ` Venkat Yekkirala
2006-11-11 16:22 ` Joshua Brindle
2006-11-13 15:42 ` Venkat Yekkirala
2006-11-13 17:45 ` Joshua Brindle
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).