[redhat-lspp] Re: [RFC] [MLSXFRM 04/04] FOR REFERENCE ONLY: Add support to serefpolicy
Venkat Yekkirala
vyekkirala at trustedcs.com
Tue Jun 13 22:41:25 UTC 2006
Forgot to include the actual patch. Here it is:
--- serefpolicy-2.2.34/policy/mls 2006-04-20 07:18:44.000000000 -0500
+++ serefpolicy-2.2.34.ipsec/policy/mls 2006-05-11 10:04:29.000000000 -0500
@@ -671,4 +671,18 @@
# these access vectors have no MLS restrictions
# association *
+mlsconstrain association { recvfrom }
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ) or
+ ( t2 == unlabeled_t ));
+
+mlsconstrain association { sendto }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t2 == unlabeled_t ));
+
+mlsconstrain association { polmatch }
+ (( l1 dom l2 ) and ( h1 domby h2 ));
+
+
') dnl end enable_mls
--- serefpolicy-2.2.34/policy/flask/access_vectors 2006-04-20 07:18:44.000000000 -0500
+++ serefpolicy-2.2.34.ipsec/policy/flask/access_vectors 2006-04-27 10:34:44.000000000 -0500
@@ -602,6 +602,7 @@
sendto
recvfrom
setcontext
+ polmatch
}
# Updated Netlink class for KOBJECT_UEVENT family.
Venkat Yekkirala wrote:
> This patch will be submitted to the serefpolicy list later. It has been
> included here just for reference.
>
> This patch adds a polmatch avperm to arbitrate access between a flow/state
> to a xfrm policy. It also defines MLS policy for association { sendto,
> recvfrom, polmatch }.
>
> NOTE: When an inbound packet is not using an IPSec SA, a check is performed
> between the socket label and the unlabeled sid (SYSTEM_HIGH MLS label). For
> MLS purposes however, the target of the check should be the MLS label taken
> from the node sid (or secmark in the new secmark world). This would present
> a severe performance overhead (to make a new sid based on the unlabeled sid
> with the MLS taken from the node sid or secmark and then using this sid as
> the target). While discussions are ongoing on fine tuning the networking
> design in the context of secmark, IPSec, netlabel, etc., I have chosen to
> currently make an exception for unlabeled_t SAs if TE policy allowed it. A
> similar problem exists for the outbound case and it has been similarly
> handled in the policy below (by making an exception for unlabeled_t).
>
>
>
More information about the redhat-lspp
mailing list