Networking and the firewall (Was Re: Isn't it time for the encrypted file system???)

David Zeuthen davidz at redhat.com
Tue Mar 28 17:56:12 UTC 2006 

On Tue, 2006-03-28 at 11:02 -0500, Daniel J Walsh wrote:
> Should also be wrapped in SELinux to make sure some random app does not 
> ask for this.  If I am a user and NetworkManager pops a window saying 
> somethine like
> "In order to run correctly I need your computer to turn purple, and run 
> the Hypervizor at Warp 3"  I am going to answer the question, "Yes"
> 
> So only apps with  a security policy should even be able to do this.

And, I might add, this would be a another perfect showcase of why
SELinux is important on the desktop.

Btw, with the PolicyKit bits I'm writing it will be easy to do this even
without user interaction other than turning g-u-s on; basically it goes
like this

 1. label /usr/libexec/gnome-user-share with a label so it runs in a
    well-known and specific security domain

 2. write a small system-level daemon for punching holes in the firewall
    and start it on boot up (when we get activation on the D-BUS system
    message bus we don't even need to start it on boot up)

 3. g-u-s starts; pokes system-level daemon for punching a hole via
    D-BUS

 4. system-level daemon checks security domain; rejects anything but
    the domain we labeled /usr/libexec/gnome-user-share with; if OK
    punches a hole in the firewall and reconfigures SELinux on the
    fly so /usr/sbin/httpd is allowed to listen to the given port.

 5. if rejected, g-u-s brings up a dialog asking for privileges; 
    either the users own password or the super user password (this is
    a feature of PolicyKit); probably only wants this when starting
    from the "Personal File Sharing" capplet, e.g. not on login

So this should be trivial once PolicyKit is finished. Specifically the
system-level helper for punching holes in the firewall would be
distributed with g-u-s. In fact, when PolicyKit is ready for this, I'm
going to try to write this patch for g-u-s... it shouldn't take more
than a day or two.. 

Btw, this should be upstream friendly too; the fact that we're using
SELinux just means we don't need the user to auth when starting g-u-s.

    David

More information about the Fedora-maintainers mailing list