On Thu, 2007-11-15 at 11:51 +0900, KaiGai Kohei wrote: > Christopher J. PeBenito wrote: > > On Thu, 2007-11-15 at 01:36 +0900, KaiGai Kohei wrote: > >> Christopher J. PeBenito wrote: > >>> On Tue, 2007-11-13 at 00:36 +0900, KaiGai Kohei wrote: > >>>> Did you notice that a patch was attached in my previous posting? > >>>> Because I put a description about this patch on the bottom of the message, > >>>> it might be easy to overlook it. > >>>> > >>>> Could you review it? It is desirable for me to enable to communicate > >>>> between different domains via labeled ipsec. > >>> I committed an alternate version, > >>> > >>> http://oss.tresys.com/projects/refpolicy/changeset/2499 > >>> http://oss.tresys.com/projects/refpolicy/changeset/2500 > >>> > >> Thanks to apply them, > >> > >> However, it does not contain any permissions which allows > >> users and daemons domain to communicate via labeled ipsec. > >> > >> In my patch, these permissions were allowed at system/init.if > >> and system/userdomain.if. Do you consider these permissions > >> should not be allowed implicitly inside these interfaces? > >> > >> Currently, it is not enough for SE-PostgreSQL to communicate > >> peers using a SPD with default security context. > >> They are requiring a bit more permissions. > > > > I reject the blanket permissions that you had in your previous patch. > > OK, I can agree. > > I also suggest two minor improvement toward these updates. > > 1. Is it considerable to add "allow $1 self : association { sendto };" > at ipsec_match_default_spd interface of ipsec.if? > > I think it should be packed with polmatch permission to the default > SPD context, because any domain which want to communicate others using > SPD with default context always have to have 'sendto' permission to > itself. Perhaps. Though I thought that dropping the sendto check was being considered, since it really doesn't gain anything. > 2. Is it considerable to add "ipsec_match_default_spd($1_t)" > in the userdom_basic_networking_template of userdomain.if? > > This interface allows a given userdomain widespread basic networking > permissions. But it is not enough yet, if the networking tunnel > is configured with labeled ipsec. > I think it can be contained in the basic networking permissions > to use ipsec SPD with default context. Sounds reasonable. > > I'll consider a patch that adds it to a postresql interface. Perhaps > > postgresql_tcp_connect should be un-deprecated. > > I think similar interfaces are necessary for any other daemon-domain which > provides networking-services, even if they don't use getpeercon(). The recvfrom is needed if the networking is labeled, regardless of whether getpeercon() is used or not. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
