I'm in the early stages of experimenting with CORBA (Orbix) and SELinux.
I've started with an example provided with Orbix where a simple client
communicates with a simple server using the Orbix naming service to
locate the server.
I've created 3 domains, orbix_t for the ORB processes (naming & locator
services, node daemon, etc), sample_client_orbix_client_server_t for the
client, and sample_server_orbix_client_server_t for the server.
For this simple example, I'm running all the processes (client, server,
and ORB) on a single host.
To get this to work, I need to provide the following allow rules for the
orbix_t domain (only the network specific rules are shown):
allow orbix_t self:tcp_socket { setopt read bind create accept write
getattr connect getopt listen shutdown};
allow orbix_t port_t:tcp_socket name_connect;
(or)
corenet_tcp_connect_generic_port(orbix_t)
allow orbix_t unlabeled_t:packet { send recv };
(or)
corenet_non_ipsec_sendrecv(orbix_t)
allow orbix_t node_type:tcp_socket node_bind;
(or)
corenet_tcp_bind_all_nodes(orbix_t)
The necessary rules for the client and the server are nearly identical
to these.
The problem results from the fact that there are no rules associating
any of the 3 domains with each other. This means that if I have multiple
clients and servers, I can't set up rules to specify which clients can
communicate with which servers. I'm stuck with every client being able
to communicate with every server. (Actually, I could limit communication
by running the clients and servers on specified labeled ports, but this
eliminates any practical method of enforcing MLS constraints)
If the client and server were running on separate hosts, with an IPSec
tunnel set up between them, the functionality that I'm looking for is
provided with the IPSec security association object class:
allow sample_client_orbix_client_server_t
sample_server_orbix_client_server_t:association recvfrom;
Is there some way to get similar functionality when the processes are
running on the same host? (Can an IPSec tunnel can be created through
the loopback interface? Or is there a better way to do this?)
Thanks
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
