On Wed, 2006-08-23 at 09:15 -0500, George C. Wilson wrote:
> On Wed, Aug 23, 2006 at 09:11:03AM -0400, Stephen Smalley wrote:
> > On Tue, 2006-08-22 at 19:20 -0400, James Morris wrote:
> > > On Tue, 22 Aug 2006, Joe Nall wrote:
> > >
> > > >
> > > > On Aug 22, 2006, at 11:43 AM, George C. Wilson wrote:
> > > >
> > > > > Is it acceptable to make use of the old controls for the certified
> > > > > configuration? Or must we migrate to secmark? We want to avoid
> > > > > having to
> > > > > document and test secmark so that we don't increase the scope of
> > > > > the TOE.
> > > >
> > > > Two questions:
> > > > 1) Without secmark, is it possible to label an IP address?
> > >
> > > Yes. You can label 'nodes' (addr/mask), ports and interfaces.
> > >
> > > > 2) If secmark is present and enabled in RH5, how do you
> > > > remove it from the TOE? By administrative fiat or real
> > > > code change?
> > >
> > > You can disable secmark controls at boot or runtime:
> > >
> > > /usr/src/linux/Documentation/kernel-parameters.txt
> > >
> > > selinux_compat_net =
> > > [SELINUX] Set initial selinux_compat_net flag
> > > value.
> > > Format: { "0" | "1" }
> > > 0 -- use new secmark-based packet controls
> > > 1 -- use legacy packet controls
> > > Default value is 0 (preferred).
> > > Value can be changed at runtime via
> > > /selinux/compat_net.
> >
> > Unfortunately, that isn't useful at present because libselinux
> > automatically sets /selinux/compat_net at policy load time based on
> > whether the policy contains a packet class definition. That was an
> > attempt to automatically detect the right setting and apply it based on
> > the policy being loaded.
> >
> > So if they want to use compat_net for the certification, we need to do
> > one of the following:
> > 1) Fork MLS policy from the refpolicy base, stripping the packet class
> > from it and all associated rules, so that libselinux will automatically
> > disable secmark at policy load time. I don't think we want to do this.
> > 2) Revert the change to libselinux that automatically sets compat_net,
> > and instead set it manually, whether via a kernel boot parameter setting
> > (e.g. from grub.conf) or via /selinux/compat_net (e.g. from rc.sysinit
> > or even later, as long as it happens before networking is enabled). I
> > can do that, just let me know.
> >
>
> It sounds like compat_net will be a pain. And it certainly isn't the
> preferred solution. Are there detailed design docs for secmark and iptables
> as currently implemented? They would help quit a bit.
Using compat_net isn't difficult; it just requires reverting the change
to libselinux so that it won't be overwritten upon policy load, and then
putting something in your certification package to enable it manually,
most likely by echo'ing a 1 to /selinux/compat_net from rc.sysinit or
similar. So that is certainly doable if you need it.
There are no "detailed design docs" for secmark. There is the
description provided by James in his live journal,
http://james-morris.livejournal.com/11010.html,
the patch descriptions included with the patches on netdev, and some
discussion of policy integration on selinux list. The final stage of
integration with the Red Hat iptables configuration isn't yet finalized
AFAIK, although Karl likely knows more.
--
Stephen Smalley
National Security Agency
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
