[redhat-lspp] RE: [PATCH 0/1] selinux: secid reconciliation fixes V01
Venkat Yekkirala
vyekkirala at TrustedCS.com
Mon Oct 9 16:45:03 UTC 2006
[Thought I had sent this earlier, but found this waiting for me to finish]
> -----Original Message-----
> From: James Morris [mailto:jmorris at namei.org]
> Sent: Monday, October 09, 2006 9:25 AM
> To: Venkat Yekkirala
> Cc: selinux at tycho.nsa.gov; redhat-lspp at redhat.com; paul.moore at hp.com;
> sds at tycho.nsa.gov; eparis at redhat.com; jbrindle at tresys.com
> Subject: RE: [PATCH 0/1] selinux: secid reconciliation fixes V01
>
>
> On Mon, 9 Oct 2006, Venkat Yekkirala wrote:
>
> > > > 3. Label igmp traffic with the igmp_packet initial context.
> > >
> > > Why is IGMP being handled separately? How many other
> > > protocols will need
> > > their own specific hooks?
> >
> > igmp seems like the only odd ball out in that it sends packets
> > outside of a socket (even a kernel sock) context; which also
> > explains why there's a separate init sid defined/deprecated for
> > this in the selinux policy.
>
> I don't think a protocol-specific hook is going to be
> acceptable. Can you
> test inside SELinux to determine that it's IGMP?
I did in fact test inside SELinux, and that's how I found
out these were igmp packets. These were getting labeled implicitly
with unlabeled_t, and now after labeling thse distinctly, policy won't
have to grant access to the network to unlabeled packets. An alternative
is to not flow control any traffic that doesn't have a sock associated
with it.
More information about the redhat-lspp
mailing list