Constraints on netif and nodes no longer working after upgrading policy compiler

Stephen Smalley sds at tycho.nsa.gov
Mon Jan 11 19:18:33 UTC 2010 

On Fri, 2010-01-08 at 17:13 -0700, Mantaray wrote:
> Hello,
> 
> I have been using the same policy, which I have customized, for a few 
> years now.  When I upgrade my OS (I believe I originally developed the 
> policy on Fedora 6) I use the same policy and compile it with the new 
> compiler.  The message from checkpolicy when I started using this policy 
> was that the binary representation was version 6.  I upgraded to version 
> 7 and version 8 without any difficulties.  I have recently upgraded to a 
> version of the compiler that outputs version 10.  With this version all 
> constraints on both netif and node have no effect on my policy.  I have 
> done some troubleshooting by simplifying the personalized policy to the 
> point that now I am only looking at the following constraint:
> 
> constrain netif { dccp_recv dccp_send egress ingress rawip_recv 
> rawip_send tcp_send tcp_recv udp_send udp_recv }
> 
> (
> 	t1 == can_access_internet and r1 == standard_r
> );
> 
> I had previously been able to successfully constrain Eth0, as well as 
> several nodes I had defined.  One of these constraints was for an rdc 
> connection to a company server (used on a "work" user account), which 
> was restricted to one ip address; and another was for my young son, to 
> keep him limited to his "pbs kids" site.  This is the primary reason I 
> have used SELinux, although I am sure the other protections have been 
> helpful as well.
> I have already upgraded the policy to the most recent reference policy 
> in an effort to resolve the issue.  The only result was additional 
> difficulties which were the result of labeling changes in the policy. 
> After resolving those difficulties, I am back to my original problem.
> I am wondering what changes have been made in the policy compiler that 
> could cause this change in behavior, and how I need to modify my policy 
> in order to get the node and netif based constraints working again.  If 
> anyone has any ideas that would help my to resolve the problem I would 
> appreciate it.

It isn't the policy compiler but rather the kernel permission checks
that have changed.
http://paulmoore.livejournal.com/4281.html

Your options are to use secmark or to use the newer ingress/egress
checks, but note that using either requires additional configuration
(iptables for secmark, labeled networking for ingress/egress).

-- 
Stephen Smalley
National Security Agency

More information about the selinux mailing list