Hey there Mike, Incredible! This is very helpful, thank you very much! I think this is the missing building block I need. Have a great day, and thank you to Josh! paultag On Thu, May 14, 2020 at 9:56 AM Mike Palmiotto <mike.palmiotto@xxxxxxxxxxxxxxx> wrote: > > On Thu, May 14, 2020 at 8:45 AM Paul Tagliamonte <paultag@xxxxxxxxxx> wrote: > > > > Hey SELinux fans, > > > > I've been playing with MLS on a test box. The "read down/write up" > > model makes total sense, but i'm running up against an odd problem set > > and trying to figure out how to best work this into an SELinux policy > > / configuration. > > > > I'm interested in having a demon that operates at multiple sensitivity > > levels depending on the security context of the peer network > > connection (within the same process, ideally, otherwise maybe > > threads?). > > > > I'm able to use NetLabel and CIPSO to mark packets with the desired > > sensitivity level, and I'm able to get that level via `getpeercon` > > during a network connection, but that connection's context hasn't been > > dominated by my process's. I'd like to either get that "combined" > > context (for instance, if my daemon is s0-s3:c1.c3 and the peer > > connection is s2-s15:c3, I'd like to see the value `s2.c3`), or to > > actually assume that role (to prevent reading/writing where it's not > > supposed to). > > Joshua Brindle recently contributed a change that may get you what you want: > https://github.com/SELinuxProject/selinux/commit/9ba35fe8c280b7c91ec65b138d9f13e44ededaa9 > > Here is the corresponding kernel change: > https://github.com/torvalds/linux/commit/42345b68c2e3e2b6549fc34b937ff44240dfc3b6 > > The kernel change is in 5.5+ it seems, so you'll probably want to use > libsepol in your application. > > Hope this helps. > -- > Mike Palmiotto > https://crunchydata.com -- :wq
