On Wed, 2007-11-21 at 13:26 +0900, KaiGai Kohei wrote:
> The attached patch provides the followins features:
> - Two new policy pattern "labeled_(tcp|udp)_pattern" are added
> - The postgresql_tcp_connect interface is revised to allow a domain
> to communicate with postgresql_t.
> - postgresql_t can communicate others via default SPD.
> - An obvious permission of "$1 self association:{sendto}" is allowed
> to any domain using ipsec_spd_t.
> - Any user-domain using core-networks can communicate others via
> default SPD.
> - Any user-domain can communicate postgresql_t via labeled networks.
Merged [1], but I made some changes. I created corenetwork interfaces
to use instead of the patterns, so the current MLS-only netlabel case
can be handled too. I also updated the domain module to use the
interfaces.
The thing that makes me a little nervous, which I didn't realize at
first, is if you use non-labeled networking, the peer policy will still
be needed, since the corenet connect/sendrecv calls are abstracted into
the interface. Consider the non-labeled case for apache. The
httpd_can_network_connect_db tunable won't work for postgresql, if the
postgresql module isn't in the apache server's policy. Whats worse is,
to make it work, you need to bring in the entire postgresql policy, even
though you only need one type, and only need the recvfrom rules.
[1] http://oss.tresys.com/projects/refpolicy/changeset/2531
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
