[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: Question on networking accesses
From:       Steve G <linux_4ever () yahoo ! com>
Date:       2007-05-22 12:39:56
Message-ID: 827038.22839.qm () web51509 ! mail ! re2 ! yahoo ! com
[Download RAW message or body]


> I guess with SELinux you could think of it as the following:
> 
> - process A (subject) writes to socket A1 (object)
> - socket A1 (subject) sends packet to compat_net/SECMARK (object)
> 
> packet traverses the ether (real magic)
> 
> - socket B1 (subject) receives the packet via int/ext labels (object)
> - process B (subject) receives the data via socket B1 (object)

I think this is missing the access control decisions. First, the sender has to be
in a domain that allows a connect/sendto, the connection between domains must be
allowed by policy, and the receiver has to be in a domain that allows
listen/recvfrom. This is omitting any DAC restrictions, capability requirements,
and IPTables rules which have first vote on denying the activity. The access
control is mostly at the entry points to the transaction and not on a packet by
packet basis (except perhaps udp where every packet is an entry point to the
transaction).

-Steve


      ____________________________________________________________________________________Shape \
Yahoo! in your own image.  Join our Network Research Panel today!   \
http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.


[prev in list] [next in list] [prev in thread] [next in thread]