On Wed, 2008-06-25 at 14:59 +0900, KaiGai Kohei wrote:
> Hi,
>
> The attached patch allows user domains to communicate with daemon
> domain, and some other domains (Apache and CGI script) to communicate
> with RDBMS (PostgreSQL and MySQL) using xxxx_tcp_connect() interface.
>
> This approach enables to cover most of relationship needed.
> All we have to do is to describe the rest of relationship like
> ones between CGI script and RDBMS, daemons and name server,
> anything and samba server, ....
>
> At least, we cannot get labeled networks available unless adding
> policies to communicate between proper domains.
> I think it is necessary to make a decision to describe the policies.
>
>
>
>
>
> differences
> between files
> attachment
> (refpolicy-labeled_communication.2.patch)
> Index: refpolicy/policy/modules/services/apache.if
> ===================================================================
> --- refpolicy/policy/modules/services/apache.if (revision 2733)
> +++ refpolicy/policy/modules/services/apache.if (working copy)
> @@ -189,10 +189,8 @@
> corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
> corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
> corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
> - corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
> - corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
> - corenet_sendrecv_postgresql_client_packets(httpd_
> $1_script_t)
> - corenet_sendrecv_mysqld_client_packets(httpd_
> $1_script_t)
> + postgresql_tcp_connect(httpd_$1_script_t)
> + mysql_tcp_connect(httpd_$1_script_t)
>
> sysnet_read_config(httpd_$1_script_t)
> ')
In this case, we want to break out the two databases into individual
optionals, e.g.
optional_policy(`
tunable_policy(`.... && ....',`
mysql_tcp_connect()
')
')
In fact we may want to just duplicate the whole tunable since the other
perms don't make much sense if you cant connect to mysql or postgresql.
> Index: refpolicy/policy/modules/system/init.if
> ===================================================================
> --- refpolicy/policy/modules/system/init.if (revision 2733)
> +++ refpolicy/policy/modules/system/init.if (working copy)
> @@ -1273,3 +1273,37 @@
> files_search_pids($1)
> allow $1 initrc_var_run_t:file manage_file_perms;
> ')
[...]
> +interface(`daemon_labeled_tcp_recvfrom',`
> + gen_require(`
> + attribute daemon;
> + ')
> + corenet_tcp_recvfrom_labeled($1,daemon)
> +')
> +
[...]
> +interface(`daemon_labeled_udp_recvfrom',`
> + gen_require(`
> + attribute daemon;
> + ')
> + corenet_udp_recvfrom_labeled($1,daemon)
> +')
>
Both interfaces need naming fixes. init_tcp_recvfrom_all_daemons() and
init_udp_recvfrom_all_daemons().
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
