[redhat-lspp] RE: Labeled Networking For LSPP: Where we are and where we need t o go (quickly)
Venkat Yekkirala
vyekkirala at TrustedCS.com
Fri Oct 6 17:24:15 UTC 2006
Paul Moore wrote:
> Eric Paris wrote:
> > Last night I built a new test kernel for labeled networking in RHEL5
> > kernels. That kernel can be found at
> >
> > http://people.redhat.com/sgrubb/files/lspp
> >
> > and you want the lspp kernel 51.
> >
<snip>
> > Patch3: find and fix current issues with unlabeled_t
> packets that can't
> > be explained (Paul Moore and Venkat)
>
> I'm working on this but it's taking time getting all the
> right policy bits
> sorted so I can differentiate between SECINITSID_UNLABELED
> and SECINITSID_NETMSG
> as they will both show up as "unlabeled_t" in all the
> released policies (at
> least I think so).
>
> Venkat, if you have a policy rpm/clean-patch/tarball
> something it would be a
> help if you could post that or send it to me (I saw your
> earlier postings, but
> only the constraints were really in patch form). Or if you
> could verify the
> lspp.51 kernel w/o the NetLabel/secid patch (turn off patch
> 25008, if you want I
> can send you a diff to the spec file - it's only two lines).
> So far I have not
> seen any differences between the stock lspp.51 kernel and the
> lspp.51 kernel
> without the NetLabel/secid patch.
As for the policy, I don't have anything more than what I posted
earlier. To distinguish between the SECINITSID_NULL and NETMSG,
see the policy patch I posted, sepcifically, policy/domains/kernel/kernel.te
where you will see that NETMSG is being set to network_t. You should
be able to apply at least that one bit of patch.
ALso, are you seeing the following denials without NetLabel/secid?
[Pasted from Jashua's email]
avc: denied { flow_in } for pid=1815 comm="avahi-daemon"
scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:system_r:avahi_t:s0 tclass=packet
don't understand this one at all, source should be network_t (i thought)
and target should be a packet object (and there aren't any). Why is it
getting the domain context?
avc: denied { recv } for pid=1815 comm="avahi-daemon" src=5353 dest=5353
netif=eth0 scontext=system_u:system_r:avahi_t:s0
tcontext=system_u:system_r:avahi_t:s0 tclass=packet
So the source here seems correct but the target is avahi_t again..
>
> > There also is some question from Joshua Brindle if the
> object classes
> > are correct for a number of things. These changes also
> will need to be
> > done quickly. I'm going to call this Patch4.
> >
> > Patch4: verify/fix the object class for all netlabel hooks.
> (Hopefully
> > Venkat will be able to take the lead on this)
>
> Just to clarify, these aren't netlabel specific
> hooks/changes, these are secid
> hooks/changes. Otherwise, I agree, Venkat has the best
> understanding of this
> work so I believe he should "drive" - I'll do whatever I can
> to support this work.
>
> --
> paul moore
> linux security @ hp
>
More information about the redhat-lspp
mailing list