[redhat-lspp] secid reconciliation and localhost sockets
Paul Moore
paul.moore at hp.com
Wed Oct 11 20:06:57 UTC 2006
Venkat Yekkirala wrote:
>>>>Joe Nall wrote:
>>>Netlabel/CIPSO is great for talking to other operating systems, but
>>>if it the _only_ mechanism to label local IP sockets, we have a problem.
>>
>>As it stands, I believe it is the only mechanism able to
>>label local IP sockets
>>that is currently in the RHEL5 kernel. One possibile
>>workaround would be to use
>>UNIX domain sockets if you know you will be talking to a
>>process on the local
>>machine.
>
> It should be possible in theory to setup labeled networking over
> loopback (would have to first set the disable_xfrm ip_sysctl to 0
> for the loopback interface). Even so, getpeercon() is currently
> broken since it retrieves the context of the SA used by the local
> socket, as opposed to tracking and returning it from the SA of
> the peer.
>
> And if you do use NetLabel, if I remember correctly,
> the TE portion comes from the local socket as opposed
> to saying unlabeled_t (or potentially node, netif Types).
> Is this still true Paul? (not trying to rake up the issue,
> just pointing out).
Nope, in both the current net-2.6 git tree as well as the latest RHEL5 kernels
getpeercon() returns "unlabeled_t" for a NetLabel connection. Patches were
posted to the netdev and SELinux lists a week or two ago and accepted shortly
afterwards.
If anyone is still seeing the older behavior please let me know or post
something to the list.
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list