[redhat-lspp] Re: [RFC] [MLSXFRM 02/04] Add enforcement to SE Linux LSM
Trent Jaeger
tjaeger at cse.psu.edu
Wed Jun 21 03:15:33 UTC 2006
On Jun 20, 2006, at 7:10 PM, Venkat Yekkirala wrote:
>>> The extra level of indirection provided by the flow makes things a
>>> bit harder to follow, so I think that this should be made clear in
>>> documentation somehow. I am not sure if people will be able to
>>> maintain this notion easily later. My understanding is below.
>>
>> It would be lot a easier if people looked at this in terms of "flow".
>
> The "indirection" is necessary and the "flow" has always been there
> since we
> don't always have a socket (forward case again). We just needed to
> go with
> the flow :)
We have flows, sa's, and in some cases, senders and receivers. On
input, we check the socket's access to receive the sa's type in
rcv_skb, and on output we check the flow's (indirectly socket's, if
present) access to send to the sa's type in flow_state_match.
The problem is that the types of the flow and policy are required to
match in lookup, but that is not a requirement for types. A socket
of type x can use a policy of type y which can be captured on input,
but not on output in this patch.
I'll think about possible resolutions, but here are some further
questions.
(1) must a flow type match that of the sa it uses (seems so)?
(2) can we do lookup differently for input (where we are told what it
should be) versus output (where it is based on what could be
authorized)?
Regards,
Trent.
----------------------------------------------
Trent Jaeger, Associate Professor
Pennsylvania State University, CSE Dept
346A IST Bldg, University Park, PA 16802
Email: tjaeger at cse.psu.edu
Ph: (814) 865-1042, Fax: (814) 865-3176
More information about the redhat-lspp
mailing list