On Thu, 22 May 2008, Jan Engelhardt wrote: > > On Thursday 2008-05-22 00:43, James Morris wrote: > >On Thu, 22 May 2008, Jan Engelhardt wrote: > >> On Wednesday 2008-05-21 16:17, James Morris wrote: > >> > > >> >In a nutshell, the need for this arises from the fact that MAC labeling > >> >rules utilizing iptables via SECMARK and CONNSECMARK are not subject to > >> >discretionary security policy (i.e. not even "root" or a user with > >> >CAP_NET_ADMIN may be able to modify these rules). > >> > >> Yet I do not see any code to possibly prohibit changing the table. > > > >There are calls from SECMARK and CONNSECMARK into the SELinux API, which > >are the labeling targets. > > But you cannot deny the deletion of a rule from within SECMARKÿÿ > there is not even a ->destroy function in that module. There is a destroy function, although it is only used internally by SELinux for reference counting. The xtables destroy method does not return a value and probably needs to unconditionally succeed in any case. Possible solutions are: - Add a new method which is designed specifically for applying access control to rule deletion. - Add a flag to the table struct which indicates that an LSM hook should be called, which can then be used for all table manipulation on a coarse level (e.g. invoke "cap_mac_admin" or "load_policy" permission, or similar). Note that coarse-grained control over deletion may be preferable, as we don't really know what effect the deletion will have (e.g. the packets may fall through to another rule which the user should not have been able to specify). - James -- James Morris <jmorris@xxxxxxxxx>