Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: SELinux Networking Enhancements
From: Joshua Brindle <jbrindle_at_tresys.com>
Date: Mon, 16 Oct 2006 08:40:21 -0400
Its not that we don't understand it, its just that we don't agree. The secpoint "paradigm" is convoluted IMO and we need something simple. I basically bailed on this conversation because it wasn't going anywhere. While you still disagree, I think most of us believe that secmarks should be _local only_ enforcement, not peer labeling, an ipsec rule is in no way a "peer", a remote socket is a peer and a peer should represent that. I believe the secpoint paradigm is very complicated to understand and use, for example, you'll have to have a number of flow_in and flow_out rules not necessarily related to the domain and socket being used. You'll get a flow_out for the domain->socket->secmark->(any other secmark that we happen to hit which is non-ideal)->association. There is not an intuitive way of binding a domain to an association. Rather than doing a string of checks like this it should be laid out and obvious: allow domain socket : tcp_sock { write read }; allow socket secmark : packet { send recv }; allow secmark association : association { flow_out flow_in }; allow domain association : association { sendto recvfrom }; this effectively (and obviously) binds the domain type to the socket and the association, binds the socket to the packet and binds the packet to the association. Without having to follow a trail of flow_in rules this effectively does the access control that that we want. Network labeling should be very simple: you use the network label if its present. If some reconciliation needs to happen between ipsec and Netlabel thats fine but the bottom line is peer contexts are external and have nothing to do with the local labeling (except for access control). What is the problem with what I have above (which is what I thought we were going to do after the conf call..)
> Specifically the following objects are defined/used: -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Mon 16 Oct 2006 - 08:40:01 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |