[redhat-lspp] secid reconciliation and localhost sockets
Venkat Yekkirala
vyekkirala at trustedcs.com
Wed Oct 11 19:56:09 UTC 2006
> >>Joe Nall wrote:
> >>
> >>>If the secid reconciliation patches don't make RH5, will localhost
> >>>IP connections have MLS policy applied?
> >>
> >>Just a second while I get my dead-horse-beating-mallets out of my
> >>desk drawer
> >>... there we go.
> >>
> >>NetLabel, which *should* be present in RHEL5 with full support,
> >>works without
> >>problem over localhost. This means that, if NetLabel is
> configured
> >>for the
> >>sending domain, packets sent to/over/through the localhost
> >>interface will carry
> >>MLS attributes and will have MLS policy applied as one would expect.
> >
> > For 240 of the 1024 categories in the current policy :)
>
> Sheesh, Joe, you always have to be so picky ;)
>
> > Netlabel/CIPSO is great for talking to other operating systems, but
> > if it the _only_ mechanism to label local IP sockets, we
> have a problem.
>
> As it stands, I believe it is the only mechanism able to
> label local IP sockets
> that is currently in the RHEL5 kernel. One possibile
> workaround would be to use
> UNIX domain sockets if you know you will be talking to a
> process on the local
> machine.
It should be possible in theory to setup labeled networking over
loopback (would have to first set the disable_xfrm ip_sysctl to 0
for the loopback interface). Even so, getpeercon() is currently
broken since it retrieves the context of the SA used by the local
socket, as opposed to tracking and returning it from the SA of
the peer.
And if you do use NetLabel, if I remember correctly,
the TE portion comes from the local socket as opposed
to saying unlabeled_t (or potentially node, netif Types).
Is this still true Paul? (not trying to rake up the issue,
just pointing out).
More information about the redhat-lspp
mailing list