On Wed, Feb 23, 2011 at 04:59:17PM -0500, Paul Moore wrote: > > > > If we want to keep that behaviour, we should change the Kconfig help > > of labeled IPsec at least, there one can find: > > > > Non-IPSec communications are designated as unlabelled, and only sockets > > authorized to communicate unlabelled data can send without using IPSec. > > > > What is simply not the case, as far as I can see. > > Here is the full text of CONFIG_SECURITY_NETWORK_XFRM for those of you > following along at home: > > This enables the XFRM (IPSec) networking security hooks. > If enabled, a security module can use these hooks to > implement per-packet access controls based on labels > derived from IPSec policy. Non-IPSec communications are > designated as unlabelled, and only sockets authorized > to communicate unlabelled data can send without using > IPSec. > If you are unsure how to answer this question, answer N. > > What do you suggest? If you're going to complain about help text you have to > offer some suggestions, that's the rule :) > Yeah, I know about the rules. Right now I've tried to change the code to fit better to the help text. If this does not work out, I still can try to do it the oher way arround :) > > If you haven't configured any of the SELinux network access controls, meaning > _all_ data flowing into and out of the system via the network is considered > to be unlabeled_t:SystemHigh, then yes, confidential and every other type of > data can be sent out the network. > > Ask yourself this question: why would an admin, running SELinux, who cares > about restricting what data can be sent over the network not configure any of > SELinux's network access controls? It just doesn't make sense ... > > > Even though, we could have a selinux policy rule that enforces the usage of > > a certain labeled SA. So for example if the key daemon does not start up > > for some reason, we have no labeled SA and the traffic leaves the system > > untransformed. That's what I wanted to avoid. > > This will not happen, or rather it should not happen if everything works the > way it should. > Yes, if everything works the way it should we are fine and we would not even need to use selinux, but in real live bugs happen. Usually I have to answer questions like: Given there is a bug in subsystem xyz, show that we still on the save side. And depending on the confidential level I have to show several lines of defense. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
