Hello,
I have been using the same policy, which I have customized, for a few years now. When I upgrade my OS (I believe I originally developed the policy on Fedora 6) I use the same policy and compile it with the new compiler. The message from checkpolicy when I started using this policy was that the binary representation was version 6. I upgraded to version 7 and version 8 without any difficulties. I have recently upgraded to a version of the compiler that outputs version 10. With this version all constraints on both netif and node have no effect on my policy. I have done some troubleshooting by simplifying the personalized policy to the point that now I am only looking at the following constraint:
constrain netif { dccp_recv dccp_send egress ingress rawip_recv rawip_send tcp_send tcp_recv udp_send udp_recv }
( t1 == can_access_internet and r1 == standard_r );
I had previously been able to successfully constrain Eth0, as well as several nodes I had defined. One of these constraints was for an rdc connection to a company server (used on a "work" user account), which was restricted to one ip address; and another was for my young son, to keep him limited to his "pbs kids" site. This is the primary reason I have used SELinux, although I am sure the other protections have been helpful as well. I have already upgraded the policy to the most recent reference policy in an effort to resolve the issue. The only result was additional difficulties which were the result of labeling changes in the policy. After resolving those difficulties, I am back to my original problem. I am wondering what changes have been made in the policy compiler that could cause this change in behavior, and how I need to modify my policy in order to get the node and netif based constraints working again. If anyone has any ideas that would help my to resolve the problem I would appreciate it.
-Ken-
On Fri, 2010-01-08 at 17:13 -0700, Mantaray wrote:
Hello,
I have been using the same policy, which I have customized, for a few years now. When I upgrade my OS (I believe I originally developed the policy on Fedora 6) I use the same policy and compile it with the new compiler. The message from checkpolicy when I started using this policy was that the binary representation was version 6. I upgraded to version 7 and version 8 without any difficulties. I have recently upgraded to a version of the compiler that outputs version 10. With this version all constraints on both netif and node have no effect on my policy. I have done some troubleshooting by simplifying the personalized policy to the point that now I am only looking at the following constraint:
constrain netif { dccp_recv dccp_send egress ingress rawip_recv rawip_send tcp_send tcp_recv udp_send udp_recv }
( t1 == can_access_internet and r1 == standard_r );
I had previously been able to successfully constrain Eth0, as well as several nodes I had defined. One of these constraints was for an rdc connection to a company server (used on a "work" user account), which was restricted to one ip address; and another was for my young son, to keep him limited to his "pbs kids" site. This is the primary reason I have used SELinux, although I am sure the other protections have been helpful as well. I have already upgraded the policy to the most recent reference policy in an effort to resolve the issue. The only result was additional difficulties which were the result of labeling changes in the policy. After resolving those difficulties, I am back to my original problem. I am wondering what changes have been made in the policy compiler that could cause this change in behavior, and how I need to modify my policy in order to get the node and netif based constraints working again. If anyone has any ideas that would help my to resolve the problem I would appreciate it.
It isn't the policy compiler but rather the kernel permission checks that have changed. http://paulmoore.livejournal.com/4281.html
Your options are to use secmark or to use the newer ingress/egress checks, but note that using either requires additional configuration (iptables for secmark, labeled networking for ingress/egress).
Stephen Smalley wrote:
On Fri, 2010-01-08 at 17:13 -0700, Mantaray wrote:
Hello,
I have been using the same policy, which I have customized, for a few years now. When I upgrade my OS (I believe I originally developed the policy on Fedora 6) I use the same policy and compile it with the new compiler. The message from checkpolicy when I started using this policy was that the binary representation was version 6. I upgraded to version 7 and version 8 without any difficulties. I have recently upgraded to a version of the compiler that outputs version 10. With this version all constraints on both netif and node have no effect on my policy. I have done some troubleshooting by simplifying the personalized policy to the point that now I am only looking at the following constraint:
constrain netif { dccp_recv dccp_send egress ingress rawip_recv rawip_send tcp_send tcp_recv udp_send udp_recv }
( t1 == can_access_internet and r1 == standard_r );
I had previously been able to successfully constrain Eth0, as well as several nodes I had defined. One of these constraints was for an rdc connection to a company server (used on a "work" user account), which was restricted to one ip address; and another was for my young son, to keep him limited to his "pbs kids" site. This is the primary reason I have used SELinux, although I am sure the other protections have been helpful as well. I have already upgraded the policy to the most recent reference policy in an effort to resolve the issue. The only result was additional difficulties which were the result of labeling changes in the policy. After resolving those difficulties, I am back to my original problem. I am wondering what changes have been made in the policy compiler that could cause this change in behavior, and how I need to modify my policy in order to get the node and netif based constraints working again. If anyone has any ideas that would help my to resolve the problem I would appreciate it.
It isn't the policy compiler but rather the kernel permission checks that have changed. http://paulmoore.livejournal.com/4281.html
Your options are to use secmark or to use the newer ingress/egress checks, but note that using either requires additional configuration (iptables for secmark, labeled networking for ingress/egress).
Thank you. I have only glanced at the info in the article(s), but it looks like it will be very helpful. It also looks like it will be easier to manage any changes I might need to make than it used to be.
-Ken-
selinux@lists.fedoraproject.org