From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 3 May 2013 13:38:27 -0400
Subject: [refpolicy] [PATCH/RFC 2/2] Add minidlna policy
In-Reply-To: <20130503172150.GA15138@siphos.be>
References: <20130501183657.GA25116@siphos.be>
	<20130501183845.GC25116@siphos.be> <1367509285.27309.34.camel@d30>
	<20130502192347.GA25444@siphos.be>
	<1367524372.27309.45.camel@d30> <5183BFEE.1030309@tresys.com>
	<20130503172150.GA15138@siphos.be>
Message-ID: <5183F613.9000300@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 05/03/13 13:21, Sven Vermeulen wrote:
> On Fri, May 03, 2013 at 09:47:26AM -0400, Christopher J. PeBenito wrote:
>> As you mentioned in a latter email, compat_net has been removed.  The SELinux network access controls are only SECMARK now.
>>
> [...]
>> Yes.  I think what you're confused on is that SECMARK labels are local only.  They are not transferred over the network like labeled IPSEC or NetLabel/CIPSO.  The object class for those labels is peer.  The only remaining permissions on port types is name_bind and name_connect.
> 
> So for each port type that we declare, the corenet_{tcp,udp}_sendrecv_*_port
> is actually void now? Only corenet_{tcp,udp}_{bind,connect}_*_port is then
> used?

Yes.  In fact, I've been looking at removing the port send/recv and any other old, unused networking rules.

> It starts making sense.
> 
> Even if SECMARK is used, the bind/connect is still needed, right?

Yes.  Those permissions are always checked.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com