On Tuesday 18 April 2006 04:01, James Morris wrote: > On Mon, 17 Apr 2006, [EMAIL PROTECTED] wrote: > > Secmark, or skfilter is exactly what fireflier needs to solve the shared > > socket issue. Thanks for working on this. If this gets integrated in > > mainline, fireflier LSM will be dropped. > > I think you probably need skfilter as a standalone option. I'll use skfilter then. > > > Is it possible to have an SELinux policy that reinjects the packets if > > didn't match any rules? I.e. if a program that listens on port 80 doesn't > > have access to the packet, (because it doesn't have the proper domain,) > > and the SELinux won't allow the program to read the packet: is it > > possible to reinject this packet in the netfilter chain, instead of > > dropping it? > > > > This would allow creating rules interactively (fireflier). > > This could be done with nfqueue, modular policy and a pretty simple tool. How do I determine if the policy needs to be changed? I.e. how do I determine if the packet would be dropped? You say packets are silently dropped, won't they generate an avc denied at least? (at least the first time?) Once I determine that, I understand what you are saying: catch the packet with a nfqueue target, and write a proper "allow my_t my_packet_t:packet { recv }" to a modular policy .te file, build that as a .pp, and load it using semodule (or libsemanage). > > P.S.: Where can I get the full secmark patches, so I can test them to see > > if they really fit my needs? Do you have an estimate timeline for > > mainline integration? (in terms of n weeks, m months) > > The rest of the secmark related patches don't exist yet, I posted the core > changes needed, and the others will be SELinux-specific. Mainline > integration would hopefully be 2.6.18, if it all works out ok. Sounds good. > > > If you're looking for skfilter: > http://people.redhat.com/jmorris/selinux/skfilter/ Thanks, I know , I tested them already. > > Patrick McHardy has some ideas on resolving some of the skfilter issues. Patrick what is the status of solving the skfilter issues? Can I help with testing patches, etc.?
On Monday 20 February 2006 18:42, Patrick McHardy wrote: > Confirmation of conntrack entries. They shouldn't be confirmed before > packets have passed the socket hooks. This is the tricky part because > we don't know if packets will be delivered to a raw socket or not > when calling the regular LOCAL_IN hook. > The only way to solve this > seems to be to use the socket hooks for all incoming packets, that > way we can defer confirmation unconditionally. Are there any problems with using socket hooks for all packets? > The nicest way would > be to just move the regular LOCAL_IN hook to the socket hooks, but > this doesn't work with SNAT in LOCAL_IN because the socket lookup > needs the already NATed address. Move just the non SNAT part of LOCAL_IN to socket hooks?(does this make sense?) As you can see at http://fireflier.isgeeky.com/wiki/Ipt_fireflier_test, skfilter is working, although my test case was a very simple one. Could you provide a simple testcase where skfilter is not working right (conntrack...), so that I can test it too? I applied only the ipv4 iptables related patches , there were a few failures due to the move to x_tables, but I think I solved them correctly. So here are the patch I actually applied: http://edwintorok.googlepages.com/linux-2.6.16.1-skfilter.patch, let me know if there is something wrong there. P.S.: Fireflier will use SELinux for labeling processes (and sockets), and skfilter to do the actual filtering Cheers, Edwin - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html