These controls look good to us... -Chad > > On Wednesday 09 January 2008 9:04:43 am James Morris wrote: > > It'd be interesting to see what some fully worked network policy > > would look like ... > > Everything below is based on the patches found here (the very > observant > will notice slight differences in permission ordering from previous > mailing list patch postings): > > * http://git.infradead.org/?p=users/pcmoore/lblnet-2.6_testing > > The following is an example of what permissions are needed for the > various send/receive/forward network tasks using the "new and > improved" > network controls. In addition, while policy is not ordered, I've > ordered the allow rules in the order in which the kernel performs the > access checks. I've also left out the labeled IPsec SA > polmatch checks > since those are unchanged and add some noise to the rules below. > > If anyone has any comments/problems/objections please speak > up quickly > so we can get everything straightened out as soon as possible. > > - basic subj/obj definitions > > socket_t = socket's label > peer_t = peer label as determined by NetLabel and/or > labeled IPsec > secmark_t = secmark/iptables label > netif_t = network interface label > node_t = network address label > > - inbound locally consumed traffic permissions > > # is TOP_SECRET traffic allowed on this network? > allow peer_t netif_t:netif ingress; > allow peer_t node_t:node recvfrom; > # is apache allowed to receive traffic from firefox? > allow socket_t peer_t:peer recv; > # is apache allowed to receive web traffic? > allow socket_t secmark_t:packet recv; > > - outbound locally generated traffic permissions > > # is apache allowed to send web traffic? > allow socket_t secmark_t:packet send; > # is TOP_SECRET traffic allowed on this network? > allow socket_t netif_t:netif egress; > allow socket_t node_t:node sendto; > > - inbound forwaded traffic permissions > > # is TOP_SECRET traffic allowed on this network? > allow peer_t netif_t:netif ingress; > allow peer_t node_t:node recvfrom; > # is apache allowed to forward web traffic through this system? > allow peer_t secmark_t:packet forward_in; > > - outbound forwarded traffic permissions > > # is apache allowed to forward web traffic through this system? > allow peer_t secmark_t:packet forward_out; > # is TOP_SECRET traffic allowed on this network? > allow peer_t netif_t:netif egress; > allow peer_t node_t:node sendto; > > -- > paul moore > linux security @ hp > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
