SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: Network flow controls and subj/obj ordering This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Paul Moore <paul.moore_at_hp.com> Date: Thu, 13 Dec 2007 10:45:57 -0500 On Thursday 13 December 2007 9:12:08 am Christopher J. PeBenito wrote: > On Wed, 2007-12-12 at 15:18 -0500, Paul Moore wrote: > > Assuming labeled networking is enabled, a forwarded packet would > > hit four checks: > > > > # inbound checks > > allow netif_t peer_t:peer ingress; > > allow netnode_t peer_t:peer ingress; > > # outbound checks > > allow netif_t peer_t:peer egress; > > allow netnode_t peer_t:peer egress; > > This helps. But this seems to be for the old networking, how does it > work with the secmark stuff? It doesn't work with the SECMARK stuff, or rather it works in parallel with the SECMARK stuff. We've debated integrating the peer labeling protocols (labeled IPsec, NetLabel) with the SECMARK mechanism many times but in the end we always end up deciding it doesn't make sense. The reason for the network interface, "netif_t", and node, "netnode_t", labels is that we want to be able to apply access controls to peer labeled network traffic based on the remote host and/or interface. Currently we have no way of doing this. Hopefully this is starting to get a bit more clear now ... -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Thu 13 Dec 2007 - 10:56:23 EST This message: [ Message body ] Next message: David Howells: "Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]" Previous message: David Howells: "Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]" In reply to: Christopher J. PeBenito: "Re: Network flow controls and subj/obj ordering" Next in thread: Christopher J. PeBenito: "Re: Network flow controls and subj/obj ordering" Reply: Christopher J. PeBenito: "Re: Network flow controls and subj/obj ordering" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom