[refpolicy] MLS unix socket sendto/connectto

chanson at TrustedCS.com chanson at TrustedCS.com
Fri Nov 5 08:53:39 CDT 2010 

Thanks, Chris for the clarification. I tend to agree that we should have
something different as we don't want this on a process per your proc pid
example. Let me think about this a little bit.

-Chad 

> -----Original Message-----
> From: Christopher J. PeBenito [mailto:cpebenito at tresys.com] 
> Sent: Friday, November 05, 2010 8:44 AM
> To: Paul Moore
> Cc: Stephen Smalley; Daniel J Walsh; Chad Hanson; 
> refpolicy at oss.tresys.com
> Subject: Re: MLS unix socket sendto/connectto
> 
> On 11/05/10 08:39, Paul Moore wrote:
> > On Fri, 2010-11-05 at 08:04 -0400, Christopher J. PeBenito wrote:
> >> On 11/04/10 10:46, Paul Moore wrote:
> >>> On Thu, 2010-11-04 at 09:19 -0400, Christopher J. PeBenito wrote:
> >>>> The current MLS constraints for unix socket sendto/connectto are:
> >>>>
> >>>> # UNIX domain socket ops
> >>>> mlsconstrain unix_stream_socket connectto
> >>>>         (( l1 eq l2 ) or
> >>>>          (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 
> >>>> domby
> >>>> h2 )) or
> >>>>          (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 
> >>>> domby l2
> >>>> )) or
> >>>>          ( t1 == mlsnetwrite ) or
> >>>>          ( t2 == mlstrustedobject ));
> >>>>
> >>>> mlsconstrain unix_dgram_socket sendto
> >>>>         (( l1 eq l2 ) or
> >>>>          (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 
> >>>> domby
> >>>> h2 )) or
> >>>>          (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 
> >>>> domby l2
> >>>> )) or
> >>>>          ( t1 == mlsnetwrite ) or
> >>>>          ( t2 == mlstrustedobject ));
> >>>>
> >>>> These were added earlier this year (except the last t2 exception 
> >>>> which was added more recently).  My concern is with the 
> mlstrustedobject part.
> >>>>  We need an exception like this to handle domains such 
> as syslog, 
> >>>> so they can receive messages from any level.  But I 
> think we need a 
> >>>> different attribute since domain types are used for the process 
> >>>> itself and also it's /proc/pid files, so by making the domain a 
> >>>> trusted object, the /proc/pid become trusted objects 
> too.  Opinions?
> >>>
> >>> Is there a reason why we don't have transition rules for 
> things like 
> >>> sockets?  Granted, they are probably only useful for unix 
> sockets, 
> >>> but I think they could come in handy for things like this 
> where we 
> >>> don't want to start messing around with adding setsockcreatecon() 
> >>> calls to the code.
> >>
> >> I don't understand; how would a transition help here?
> > 
> > I was thinking that a type transition could be used when 
> /dev/log was 
> > created so that it could be created with a new type which we could 
> > assign to the mlstrustedobject attribute.
> 
> Wrong check.  The check on /dev/log is a sock_file check (eg 
> foo_t to devlog_t).  The above constraints are for foo_t to 
> syslogd_t, as an example.
> 
> 
> 
> --
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
>

More information about the refpolicy mailing list