-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have been fooling around with SECMARK labeling. And one problem that
I have found is that we don't have a way to turn off the use of the
unlabeled_t packets. Every domain is allowed to send and recv
unlabeled_t packets.
The way you label a packet is by setting up iptables rules, if iptables
is shut down, we do not want SELinux to break the system by default.
But, in some cases where you want to set up security based on labeled
packets, you do want the packets to be blocked if the firewall goes down.
I was trying to setup an environment where you could label two types of
data intranet, internet. Then I could assign which domains could talk
to the intranet an which domains can talk to the internet. If the
iptables rules are removed, I do not want packets to flow to either side.
The mechanism I came up with to do this was to have a module
unlablednet.pp, that you can disable, in order to stop unlabeled_t
packets from being used from confined domains.
Here is the patch I used to make this work.
What do you think of the idea?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkztE1sACgkQrlYvE4MpobNT4gCfTyYe7mV/Ub2pxnAjdAU4cc0k
K+sAnjnUFRcUmm6eZTTeRceHnJb82wEn
=2qA4
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: unlabelednet.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20101124/49bbc6a5/attachment.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unlabelednet.patch.sig
Type: application/pgp-signature
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101124/49bbc6a5/attachment.bin
On 11/24/10 08:30, Daniel J Walsh wrote:
> I have been fooling around with SECMARK labeling. And one problem that
> I have found is that we don't have a way to turn off the use of the
> unlabeled_t packets. Every domain is allowed to send and recv
> unlabeled_t packets.
>
> The way you label a packet is by setting up iptables rules, if iptables
> is shut down, we do not want SELinux to break the system by default.
>
> But, in some cases where you want to set up security based on labeled
> packets, you do want the packets to be blocked if the firewall goes down.
>
> I was trying to setup an environment where you could label two types of
> data intranet, internet. Then I could assign which domains could talk
> to the intranet an which domains can talk to the internet. If the
> iptables rules are removed, I do not want packets to flow to either side.
>
> The mechanism I came up with to do this was to have a module
> unlablednet.pp, that you can disable, in order to stop unlabeled_t
> packets from being used from confined domains.
>
> Here is the patch I used to make this work.
>
> What do you think of the idea?
My knee-jerk reaction was to use conditionals instead, but some network
access is already conditional, so that would break w/o nested
conditionals support. I think this is an ugly solution; however, it may
be the only way to do it within the constraints of the current
toolchain. I do want to have a way to eliminate the unlabeled packet
access, so I'll think about this for a while.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com