On Wed, 2008-02-20 at 14:11 +0900, Kohei KaiGai wrote: > Paul Moore wrote: > > On Tuesday 19 February 2008 7:59:22 pm Kohei KaiGai wrote: > >> Is it acceptable one, if we provide an interface to allow a domain > >> to communicate postgresql_t via labeled networking, separated from > >> existing permissions for local ports and nodes? > >> > >> For example: > >> -- at postgresql.if > >> interface(`postgresql_labeled_connect',` > >> gen_require(` > >> type postgresql_t; > >> ') > >> corenet_tcp_recvfrom_labeled($1,postgresql_t) > >> ') > >> > >> and > >> -- at apache.te > >> postgresql_labeled_connect(httpd_t) > >> > >> I think this approach enables to keep independency between modules > >> in unlabeled networking cases too. > > > > For what it is worth, it looks like a good idea to me. > > At first, I implemented this idea for three services (PostgreSQL/MySQL/SSHd). > > This patch adds the following interfaces: > - postgresql_labeled_communicate(domain) > - mysql_labeled_communicate(domain) > - ssh_labeled_communicate(domain) > > Chris, is it suitable for refpolicy framework? The only issue I have with it would just be the interface naming; probably something like mysql_tcp_recvfrom() would be better. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
