SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List RE: SELinux Networking Enhancements This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] From: James Morris <jmorris_at_namei.org> Date: Thu, 19 Oct 2006 17:27:21 -0400 (EDT) On Thu, 19 Oct 2006, Venkat Yekkirala wrote: > You would have just as many "secpoints" as you currently > would "secmarks". No difference there. Same level of flexibility > and scalability. Nothing more, nothing less. > > Example: > > 1. An outbound connection to port 80 on machine 10.0.0.1 > *> SECMARK:* > -A OUTPUT -m state --state NEW -p tcp -d 10.0.0.1 --dport 80 -j > SECMARK --selctx system_u:object_r:http_client_packet_t:s2 > *> SECPOINT:* > -A OUTPUT -m state --state NEW -p tcp -d 10.0.0.1 --dport 80 -j > SECMARK --selctx system_u:object_r:httpd_t:s0 > > Reason for the change in Type from http_client_packet_t to httpd_t: > > All incoming packets on this connection would be from a web-server so should > be carrying httpd_t as opposed to http_client_packet_t. Also, all outbound > traffic on this connection carries the originating socket context > (firefox_t) > which would be flow-controlled against httpd_t. > > So, just a change in semantics. Whereas you formerly had > allow firefox_t http_client_packet_t:packet { send recv } > > you would now have: > > allow firefox_t httpd_t:packet { recv } > allow firefox_t httpd_t:packet { flow_out } > > For the forwarding case: > > -A PREROUTING -p tcp -s 10.0.0.5 -j SECMARK --selctx > system_u:object_r:webonly_t:s0 > > -A FORWARD -m state --state NEW -p tcp -d 10.0.0.1 --dport 80 -j > SECMARK --selctx system_u:object_r:httpd_t:s0 > -A PREROUTING -p tcp -s 10.0.0.1 --sport 80 -j SECMARK --selctx > system_u:object_r:httpd_t:s0 > (can also use CONNSECMARK to save from FORWARD and restore it at PREROUTING > to label all traffic back from > the webserver) > > allow webonly_t httpd_t:packet { flow_out } > allow httpd_t webonly_t:packet { flow_out } > > I have only given the main rules and there are ofcourse other supporting > rules required > to get things going. This is too complicated, most people will not understand it. I think it's also a security risk, because of the complexity of composing these labeling mechanisms and the chance that mistakes will be made in deployment, as well as scaring people away from using the technology altogether. -- James Morris <jmorris@namei.org> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Thu 19 Oct 2006 - 17:27:26 EDT This message: [ Message body ] Next message: Russell Coker: "Re: [redhat-lspp] Re: MLS enforcing PTYs, sshd, and newrole" Previous message: Stephen Smalley: "Re: Policy tests failed" In reply to: Venkat Yekkirala: "RE: SELinux Networking Enhancements" Next in thread: Venkat Yekkirala: "RE: SELinux Networking Enhancements" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom