Re: [Shorewall-users] possible secmark issue

Thu, 02 Jun 2011 12:25:18 -0700 

On 06/02/2011 12:01 PM, Mr Dash Four wrote:
> 
>> The more I think about it, the more I favor inserting the dropInvalid
>> rule in your rules file. If you do that, it is a moot point which
>> security context INVALID packets have since they won't be accepted. The
>> way your ruleset is right now, you are ACCEPTing such packets; that
>> creates new conntrack entries which will take some time to time out and
>> be deleted.
>>   
> I am not too sure that is (always) the case. SELinux hooks kick in even
> before a packet is traversed (when it goes out for example as was in the
> case I listed here) - if the process/program doesn't have the right
> permissions set (my_program to send "http_client_t" type packets for
> example) then AVC is issued and no packet passes at all. Besides, when a
> security issue such as this is concerned, you can't be too careful! It
> would also allow me additional flexibility as to what to do with/mark
> these packets as.
> 

I'm betting that the AVC is only issued at the socket level (incoming
and outgoing). So DROPped packets would not trigger it.

At any rate, here's a patch that implements ':I'.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 88c61ca..e09fa6f 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1604,6 +1604,7 @@ sub process_secmark_rule() {
 		 O => 'tcout'   , );
 
     my %state = ( N =>  'NEW' ,
+		  I => 'INVALID',
 		  NI => 'NEW,INVALID',
 		  E =>  'ESTABLISHED' ,
 		  ER => 'ESTABLISHED,RELATED',

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Discover what all the cheering's about.
Get your free trial download today. 
http://p.sf.net/sfu/quest-dev2dev2 
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to