[refpolicy] [PATCH/RFC 2/2] Add minidlna policy

Christopher J. PeBenito cpebenito at tresys.com
Fri May 3 13:38:27 EDT 2013


On 05/03/13 13:21, Sven Vermeulen wrote:
> On Fri, May 03, 2013 at 09:47:26AM -0400, Christopher J. PeBenito wrote:
>> As you mentioned in a latter email, compat_net has been removed.  The SELinux network access controls are only SECMARK now.
>>
> [...]
>> Yes.  I think what you're confused on is that SECMARK labels are local only.  They are not transferred over the network like labeled IPSEC or NetLabel/CIPSO.  The object class for those labels is peer.  The only remaining permissions on port types is name_bind and name_connect.
> 
> So for each port type that we declare, the corenet_{tcp,udp}_sendrecv_*_port
> is actually void now? Only corenet_{tcp,udp}_{bind,connect}_*_port is then
> used?

Yes.  In fact, I've been looking at removing the port send/recv and any other old, unused networking rules.

> It starts making sense.
> 
> Even if SECMARK is used, the bind/connect is still needed, right?

Yes.  Those permissions are always checked.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list