On Wednesday 19 March 2008 9:19:53 am Christopher J. PeBenito wrote: > On Tue, 2008-02-26 at 13:40 -0500, paul.moore@xxxxxx wrote: > > The 2.6.25 kernel will introduce a new set of labeled networking > > controls to SELinux and this patch makes the necessary changes to > > the Reference Policy to support unlabeled network traffic with the > > new controls. > > > > A description of the new/improved labeled networking controls was > > posted to the SELinux list back in early January 2008. > > > > * http://marc.info/?l=selinux&m=119991234501200&w=2 > > > > Signed-off-by: Paul Moore <paul.moore@xxxxxx> > > --- > > policy/modules/kernel/corenetwork.if.in | 69 > > +++++++++++++++++++++++--------- > > Is there a reason why you skipped adding ingress/egress to the "all" > interfaces (e.g. corenet_udp_receive_all_if)? Nope, or at least not one that I can remember right now. I just went through and added ingress/egress to the netif permissions as well as sendto/recvfrom to the node permissions. Thanks. > > --- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in > > +++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in > > @@ -2380,6 +2392,27 @@ interface(`corenet_sendrecv_unlabeled_pa > > > > ######################################## > > ## <summary> > > +## Receive packets from an unlabeled peer. > > +## </summary> > > +## <desc> > > +## <p> > > +## Receive packets from an unlabeled peer, > > +## these packets do not have any peer labeling > > +## information present. > > +## </p> > > +## </desc> > > +## <param name="domain"> > > +## <summary> > > +## Domain allowed access. > > +## </summary> > > +## </param> > > +# > > +interface(`corenet_recvfrom_unlabeled_peer',` > > + kernel_recvfrom_unlabeled_peer($1) > > +') > > Seems unnecessary since it seems like it should be called from > corenet_(tcp|udp|raw)_recvfrom_unlabeled? Okay, would you prefer to add kernel_recvfrom_unlabeled_peer() to corenet_{tcp,udp,raw}_recvfrom_unlabeled() or simply add the new allow rule to kernel_{tcp,udp,raw}_recvfrom_unlabeled()? -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
