[redhat-lspp] Updated NetLabel patch
Paul Moore
paul.moore at hp.com
Thu Jun 15 18:13:35 UTC 2006
Stephen Smalley wrote:
> On Thu, 2006-06-15 at 12:22 -0400, Paul Moore wrote:
>>Hmm. I haven't looked at the selinuxfs bits in much detail yet to even
>>see how something like that would work but I'll look into it as that
>>seems like a much better solution than the sysctl approach.
>
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195238
>
Thanks for the link, I'll let the dust settle a bit before I write anything.
>>I don't believe it is currently being addressed in the xfrm case either
>>as it came up during the LSPP call two weeks ago. If I remember
>>correctly they were planning on relabeling the socket too ...
>
> <snip>
>
>>I thought that protecting the relabel with a relabelto check would
>>suffice to ensure that unwanted socket relabeling was protected.
>>However, based on your comments I'm guessing that I'm not understanding
>>something very fundamental here ...
>
> relabelfrom/relabelto are supposed to be process-to-object checks
> applied upon setxattr (if setxattr were implemented for sockets), as
> with files. The relationship between the old and new label would
> typically be handled via a security_validate_transition() call in the
> code and validatetrans constraints in the policy, not via relabelto.
>
> But relabeling is undesirable in general; it violates the tranquility
> property and breaks your ability to reason about information flow in the
> system. And automatic relabeling based on potentially untrustworthy
> input is worse yet.
>
> http://beyondabstraction.net/2005/10/13/subject-object-tranquility/
> http://beyondabstraction.net/2005/11/07/subject-object-tranquility-part-2/
>
Between the two links you just posted and a quick look at the xinetd
sources I think I see the problem - when a socket is accept()'ed it
takes the SID of the listening/parent socket, shouldn't it take the SID
of the current task similar to when the parent socket is first created?
If I am understanding everything correctly, this would allow the
listen-fork-accept method of xinetd to work correctly and still maintain
tranquility.
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list