Constraints on netif and nodes no longer working after upgrading policy compiler
Stephen Smalley
sds at tycho.nsa.gov
Mon Jan 11 19:18:33 UTC 2010
On Fri, 2010-01-08 at 17:13 -0700, Mantaray wrote:
> Hello,
>
> I have been using the same policy, which I have customized, for a few
> years now. When I upgrade my OS (I believe I originally developed the
> policy on Fedora 6) I use the same policy and compile it with the new
> compiler. The message from checkpolicy when I started using this policy
> was that the binary representation was version 6. I upgraded to version
> 7 and version 8 without any difficulties. I have recently upgraded to a
> version of the compiler that outputs version 10. With this version all
> constraints on both netif and node have no effect on my policy. I have
> done some troubleshooting by simplifying the personalized policy to the
> point that now I am only looking at the following constraint:
>
> constrain netif { dccp_recv dccp_send egress ingress rawip_recv
> rawip_send tcp_send tcp_recv udp_send udp_recv }
>
> (
> t1 == can_access_internet and r1 == standard_r
> );
>
> I had previously been able to successfully constrain Eth0, as well as
> several nodes I had defined. One of these constraints was for an rdc
> connection to a company server (used on a "work" user account), which
> was restricted to one ip address; and another was for my young son, to
> keep him limited to his "pbs kids" site. This is the primary reason I
> have used SELinux, although I am sure the other protections have been
> helpful as well.
> I have already upgraded the policy to the most recent reference policy
> in an effort to resolve the issue. The only result was additional
> difficulties which were the result of labeling changes in the policy.
> After resolving those difficulties, I am back to my original problem.
> I am wondering what changes have been made in the policy compiler that
> could cause this change in behavior, and how I need to modify my policy
> in order to get the node and netif based constraints working again. If
> anyone has any ideas that would help my to resolve the problem I would
> appreciate it.
It isn't the policy compiler but rather the kernel permission checks
that have changed.
http://paulmoore.livejournal.com/4281.html
Your options are to use secmark or to use the newer ingress/egress
checks, but note that using either requires additional configuration
(iptables for secmark, labeled networking for ingress/egress).
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list