Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: Question on networking accesses
From: Paul Moore <paul.moore_at_hp.com>
Date: Mon, 21 May 2007 23:46:58 -0400
Just to be clear, the internal label is not quite the same as the external label. Both can be used to control access between a packet and it's sending or receiving socket but that is where the similarities end; for example you can't do a getpeercon() call on a connection that does not have an external label. I mention this because it is my understanding the other trusted OSs had a facility to assign "external" labels to packets that were not labeled, i.e. the "label-of-convenience". For example, all traffic on interface X is labeled "SuperSecret" while traffic on interface Y is labeled "SuperDoubleSecret". At some point I would like implement something like this, as I see this as a nice feature, but we currently do not support this use case.
> > > It appears that you're treating the packet as a labeled object, Perhaps not a name in a conventional sense, but I think you could consider them as having a name based on the src/port-dst/port tuple. After all, if there was no way to identify packets how would networking work and what is a name if not a way to identify an object?
> Further, processes don't go out of their way I see your point, but the process does have to explicitly perform an action to receive data. In the case of stream connections an accept() is required whereas datagram connections require a recvfrom/msg/etc call. As far as the "magic", how does data get into a file to be consumed by a process :)
> The systems that I worked on treated it as the sender writing to I guess with SELinux you could think of it as the following:
packet traverses the ether (real magic)
While it's different from what you may be used to I don't think it's _that_ different, especially if you tilt your head ever so slightly and squint. -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Mon 21 May 2007 - 23:47:09 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |