Christopher J. PeBenito wrote: > On Thu, 2007-11-15 at 01:36 +0900, KaiGai Kohei wrote: >> Christopher J. PeBenito wrote: >>> On Tue, 2007-11-13 at 00:36 +0900, KaiGai Kohei wrote: >>>> Did you notice that a patch was attached in my previous posting? >>>> Because I put a description about this patch on the bottom of the message, >>>> it might be easy to overlook it. >>>> >>>> Could you review it? It is desirable for me to enable to communicate >>>> between different domains via labeled ipsec. >>> I committed an alternate version, >>> >>> http://oss.tresys.com/projects/refpolicy/changeset/2499 >>> http://oss.tresys.com/projects/refpolicy/changeset/2500 >>> >> Thanks to apply them, >> >> However, it does not contain any permissions which allows >> users and daemons domain to communicate via labeled ipsec. >> >> In my patch, these permissions were allowed at system/init.if >> and system/userdomain.if. Do you consider these permissions >> should not be allowed implicitly inside these interfaces? >> >> Currently, it is not enough for SE-PostgreSQL to communicate >> peers using a SPD with default security context. >> They are requiring a bit more permissions. > > I reject the blanket permissions that you had in your previous patch. OK, I can agree. I also suggest two minor improvement toward these updates. 1. Is it considerable to add "allow $1 self : association { sendto };" at ipsec_match_default_spd interface of ipsec.if? I think it should be packed with polmatch permission to the default SPD context, because any domain which want to communicate others using SPD with default context always have to have 'sendto' permission to itself. 2. Is it considerable to add "ipsec_match_default_spd($1_t)" in the userdom_basic_networking_template of userdomain.if? This interface allows a given userdomain widespread basic networking permissions. But it is not enough yet, if the networking tunnel is configured with labeled ipsec. I think it can be contained in the basic networking permissions to use ipsec SPD with default context. > I'll consider a patch that adds it to a postresql interface. Perhaps > postgresql_tcp_connect should be un-deprecated. I think similar interfaces are necessary for any other daemon-domain which provides networking-services, even if they don't use getpeercon(). Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@xxxxxxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
