[redhat-lspp] mls level to without classification
George C. Wilson
ltcgcw at us.ibm.com
Wed Aug 23 14:15:01 UTC 2006
On Wed, Aug 23, 2006 at 09:11:03AM -0400, Stephen Smalley wrote:
> On Tue, 2006-08-22 at 19:20 -0400, James Morris wrote:
> > On Tue, 22 Aug 2006, Joe Nall wrote:
> >
> > >
> > > On Aug 22, 2006, at 11:43 AM, George C. Wilson wrote:
> > >
> > > > Is it acceptable to make use of the old controls for the certified
> > > > configuration? Or must we migrate to secmark? We want to avoid
> > > > having to
> > > > document and test secmark so that we don't increase the scope of
> > > > the TOE.
> > >
> > > Two questions:
> > > 1) Without secmark, is it possible to label an IP address?
> >
> > Yes. You can label 'nodes' (addr/mask), ports and interfaces.
> >
> > > 2) If secmark is present and enabled in RH5, how do you
> > > remove it from the TOE? By administrative fiat or real
> > > code change?
> >
> > You can disable secmark controls at boot or runtime:
> >
> > /usr/src/linux/Documentation/kernel-parameters.txt
> >
> > selinux_compat_net =
> > [SELINUX] Set initial selinux_compat_net flag value.
> > Format: { "0" | "1" }
> > 0 -- use new secmark-based packet controls
> > 1 -- use legacy packet controls
> > Default value is 0 (preferred).
> > Value can be changed at runtime via
> > /selinux/compat_net.
>
> Unfortunately, that isn't useful at present because libselinux
> automatically sets /selinux/compat_net at policy load time based on
> whether the policy contains a packet class definition. That was an
> attempt to automatically detect the right setting and apply it based on
> the policy being loaded.
>
> So if they want to use compat_net for the certification, we need to do
> one of the following:
> 1) Fork MLS policy from the refpolicy base, stripping the packet class
> from it and all associated rules, so that libselinux will automatically
> disable secmark at policy load time. I don't think we want to do this.
> 2) Revert the change to libselinux that automatically sets compat_net,
> and instead set it manually, whether via a kernel boot parameter setting
> (e.g. from grub.conf) or via /selinux/compat_net (e.g. from rc.sysinit
> or even later, as long as it happens before networking is enabled). I
> can do that, just let me know.
>
It sounds like compat_net will be a pain. And it certainly isn't the
preferred solution. Are there detailed design docs for secmark and iptables
as currently implemented? They would help quit a bit.
--
George Wilson <ltcgcw at us.ibm.com>
IBM Linux Technology Center
More information about the redhat-lspp
mailing list