On Tue, 2008-02-19 at 16:09 +0900, Kohei KaiGai wrote: > >>> Merged [1], but I made some changes. I created corenetwork interfaces > >>> to use instead of the patterns, so the current MLS-only netlabel case > >>> can be handled too. I also updated the domain module to use the > >>> interfaces. > >>> > >>> The thing that makes me a little nervous, which I didn't realize at > >>> first, is if you use non-labeled networking, the peer policy will still > >>> be needed, since the corenet connect/sendrecv calls are abstracted into > >>> the interface. Consider the non-labeled case for apache. The > >>> httpd_can_network_connect_db tunable won't work for postgresql, if the > >>> postgresql module isn't in the apache server's policy. Whats worse is, > >>> to make it work, you need to bring in the entire postgresql policy, even > >>> though you only need one type, and only need the recvfrom rules. > >>> > >>> [1] http://oss.tresys.com/projects/refpolicy/changeset/2531 > > Chris, what is the current status of my patch submitted previously? > > You pointed out that undeprecating postgresql_tcp_connect() to allow > permissions for labeled and traditional networks can make unneeded > dependency. > > The attached patch reverts postgresql_tcp_connect() and related part, > and puts corenet_tcp_recvfrom_labeled() and ipsec_match_default_spd() > within optional_policy block, if necessary. > It enables any userdomain to communicate PostgreSQL/MySQL/SSHd via > labeled networking, at first. > However, I believe we can apply this method for other domains also. The use of types outside their modules is not acceptable, for example: + corenet_tcp_recvfrom_labeled(httpd_t,postgresql_t) -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
