[redhat-lspp] Re: Networking policy patch

Christopher J. PeBenito cpebenito at tresys.com
Fri Oct 6 15:22:03 UTC 2006 

On Fri, 2006-10-06 at 10:10 -0400, Paul Moore wrote:
> Christopher J. PeBenito wrote:
> > On Tue, 2006-10-03 at 21:54 -0500, Venkat Yekkirala wrote:
> > 
> >>FYI- I have posted the following patches separate from this one.
> >>
> >>1. A patch to address the "leask" issue. Once verified, it needs
> >>to be rolled in with James' patch and sent on after verification.
> >>
> >>2. A fix for flow_in and flow_out where we were using the unlabeled
> >>   init sid. We would now use a new network_t with a range of (s0-s15...)
> >>   to allow for mls traffic to flow out/in, in the absence of explicit secmark
> >>   rules.
> >>
> >>
> >>The following is a sample patch for networking using the new controls
> >>in conjunction with secmark.
> >>
> >>NOTE FOR JOSHUA: This patch also defines the constraints to force context
> >>equality for association:sendto.
> > 
> > I'm starting a labeled networking branch of refpolicy to work with this.
> 
> Is this available yet?  If so, how do I got about getting a copy to take a look?

Yes, however it doesn't have anything interesting yet, just the flow_in
and flow_out perms.

svn co http://oss.tresys.com/repos/refpolicy/branches/labeled-networking-2029 refpolicy

> > I'm waiting until the dust settles before adding TE rules, but I have
> > some questions:
> 
> Now that things are starting to calm down a bit I'm trying to get a chance to
> look at the current policy and how it affects NetLabel.  In the secid case I
> believe NetLabel can just ride on the back of the policy work you and Venkat are
> discussing, however, if the reference policy is also going to support the
> network compatability mode I suspect there will need to be some changes to allow
> NetLabel'd traffic to work.
> 
> In the network compatability mode there is really only one new access check for
> NetLabel:

Changing the behavior of compat_net seems very bad, since the point of
it is compatibility.  If we need to update the policy, then that is not
compatibility.

> There is also an issue of writing policy for netlabelctl, the NetLabel
> configuration tool.  Klaus and I have passed around some simple policy modules
> on the lspp list which have provided policy for netlabelctl.  I'm going to try
> and revisit the last version posted and see if it needs to be updated, once it
> is working I would like to try and have it included in the reference policy.
> Would you prefer I post the policy as a standalone policy module or as a patch
> against the reference policy currently in SVN?

If it makes no changes to other modules, then either way is ok,
otherwise a patch would be better.  Use the labeled networking branch
above.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

More information about the redhat-lspp mailing list