Christopher J. PeBenito wrote:
> On Wed, 2007-11-21 at 13:26 +0900, KaiGai Kohei wrote:
>> The attached patch provides the followins features:
>> - Two new policy pattern "labeled_(tcp|udp)_pattern" are added
>> - The postgresql_tcp_connect interface is revised to allow a domain
>> to communicate with postgresql_t.
>> - postgresql_t can communicate others via default SPD.
>> - An obvious permission of "$1 self association:{sendto}" is allowed
>> to any domain using ipsec_spd_t.
>> - Any user-domain using core-networks can communicate others via
>> default SPD.
>> - Any user-domain can communicate postgresql_t via labeled networks.
>
> Merged [1], but I made some changes. I created corenetwork interfaces
> to use instead of the patterns, so the current MLS-only netlabel case
> can be handled too. I also updated the domain module to use the
> interfaces.
>
> The thing that makes me a little nervous, which I didn't realize at
> first, is if you use non-labeled networking, the peer policy will still
> be needed, since the corenet connect/sendrecv calls are abstracted into
> the interface. Consider the non-labeled case for apache. The
> httpd_can_network_connect_db tunable won't work for postgresql, if the
> postgresql module isn't in the apache server's policy. Whats worse is,
> to make it work, you need to bring in the entire postgresql policy, even
> though you only need one type, and only need the recvfrom rules.
>
> [1] http://oss.tresys.com/projects/refpolicy/changeset/2531
I've considered to resolve the matter for a while, but I could not get
any good idea. I think the most appropriate way is to separate corenet
part from labeled networking part again, and to put corenet sendrecv
pattern and an interface optionally to communicate via labeled networking.
I also considered a method to utilize the second argument of the
"optional_policy" macro, but it seemed to me a bit ugly more.
How do you think the idea to revert apache.te and create a new interface
to communicate via labeled networking only?
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
