On Mon, 2006-08-07 at 15:37 -0400, Paul Moore wrote:
> I spent an hour this afternoon with the latest NetLabel patch and Klaus'
> original "toy" policy module trying to "flesh it out a bit". The
> resulting policy file is attached (as well as a simple Makefile to build
> and install the module). I will caution people that I haven't done much
> testing with this new policy module yet but what I have done, mostly
> running 'netlabelctl' seems to work well enough.
> # sending NetLabel'd packets does not require a SELinux privilege, however,
> # receiving NetLabel'd packets does
> allow user_t user_t:{ tcp_socket udp_socket } { recv_msg };
> allow staff_t staff_t:{ tcp_socket udp_socket } { recv_msg };
> allow sysadm_t sysadm_t:{ tcp_socket udp_socket } { recv_msg };
Do we really want to overload this permission? It is still being used
for send/receive on ports, e.g.,
allow httpd_t port_type:tcp_socket { send_msg recv_msg };
I realize these port perms are deprecated by secmark; however, these
rules will still be around for a while for compatability.
> # netlink communications
> allow netlabelctl_t self:netlink_socket { create bind write read };
This is like the generic socket; we don't want generic netlink sockets
either, we want all sockets to be specific. Netlink_socket is just a
fallback for unspecified netlink sockets.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
