FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 01-08-2010, 11:13 PM
Mantaray
 
Default Constraints on netif and nodes no longer working after upgrading policy compiler

Hello,

I have been using the same policy, which I have customized, for a few
years now. When I upgrade my OS (I believe I originally developed the
policy on Fedora 6) I use the same policy and compile it with the new
compiler. The message from checkpolicy when I started using this policy
was that the binary representation was version 6. I upgraded to version
7 and version 8 without any difficulties. I have recently upgraded to a
version of the compiler that outputs version 10. With this version all
constraints on both netif and node have no effect on my policy. I have
done some troubleshooting by simplifying the personalized policy to the
point that now I am only looking at the following constraint:


constrain netif { dccp_recv dccp_send egress ingress rawip_recv
rawip_send tcp_send tcp_recv udp_send udp_recv }


(
t1 == can_access_internet and r1 == standard_r
);

I had previously been able to successfully constrain Eth0, as well as
several nodes I had defined. One of these constraints was for an rdc
connection to a company server (used on a "work" user account), which
was restricted to one ip address; and another was for my young son, to
keep him limited to his "pbs kids" site. This is the primary reason I
have used SELinux, although I am sure the other protections have been
helpful as well.
I have already upgraded the policy to the most recent reference policy
in an effort to resolve the issue. The only result was additional
difficulties which were the result of labeling changes in the policy.
After resolving those difficulties, I am back to my original problem.
I am wondering what changes have been made in the policy compiler that
could cause this change in behavior, and how I need to modify my policy
in order to get the node and netif based constraints working again. If
anyone has any ideas that would help my to resolve the problem I would
appreciate it.


-Ken-

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-11-2010, 07:16 PM
Mantaray
 
Default Constraints on netif and nodes no longer working after upgrading policy compiler

Stephen Smalley wrote:
> On Fri, 2010-01-08 at 17:13 -0700, Mantaray wrote:
>> Hello,
>>
>> I have been using the same policy, which I have customized, for a few
>> years now. When I upgrade my OS (I believe I originally developed the
>> policy on Fedora 6) I use the same policy and compile it with the new
>> compiler. The message from checkpolicy when I started using this policy
>> was that the binary representation was version 6. I upgraded to version
>> 7 and version 8 without any difficulties. I have recently upgraded to a
>> version of the compiler that outputs version 10. With this version all
>> constraints on both netif and node have no effect on my policy. I have
>> done some troubleshooting by simplifying the personalized policy to the
>> point that now I am only looking at the following constraint:
>>
>> constrain netif { dccp_recv dccp_send egress ingress rawip_recv
>> rawip_send tcp_send tcp_recv udp_send udp_recv }
>>
>> (
>> t1 == can_access_internet and r1 == standard_r
>> );
>>
>> I had previously been able to successfully constrain Eth0, as well as
>> several nodes I had defined. One of these constraints was for an rdc
>> connection to a company server (used on a "work" user account), which
>> was restricted to one ip address; and another was for my young son, to
>> keep him limited to his "pbs kids" site. This is the primary reason I
>> have used SELinux, although I am sure the other protections have been
>> helpful as well.
>> I have already upgraded the policy to the most recent reference policy
>> in an effort to resolve the issue. The only result was additional
>> difficulties which were the result of labeling changes in the policy.
>> After resolving those difficulties, I am back to my original problem.
>> I am wondering what changes have been made in the policy compiler that
>> could cause this change in behavior, and how I need to modify my policy
>> in order to get the node and netif based constraints working again. If
>> anyone has any ideas that would help my to resolve the problem I would
>> appreciate it.
>
> It isn't the policy compiler but rather the kernel permission checks
> that have changed.
> http://paulmoore.livejournal.com/4281.html
>
> Your options are to use secmark or to use the newer ingress/egress
> checks, but note that using either requires additional configuration
> (iptables for secmark, labeled networking for ingress/egress).
>

Thank you. I have only glanced at the info in the article(s), but it
looks like it will be very helpful. It also looks like it will be
easier to manage any changes I might need to make than it used to be.

-Ken-


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 08:03 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org