Constraints on netif and nodes no longer working after upgrading policy compiler

Mon Jan 11 20:16:28 UTC 2010

Stephen Smalley wrote:
> On Fri, 2010-01-08 at 17:13 -0700, Mantaray wrote:
>> Hello,
>>
>> I have been using the same policy, which I have customized, for a few 
>> years now.  When I upgrade my OS (I believe I originally developed the 
>> policy on Fedora 6) I use the same policy and compile it with the new 
>> compiler.  The message from checkpolicy when I started using this policy 
>> was that the binary representation was version 6.  I upgraded to version 
>> 7 and version 8 without any difficulties.  I have recently upgraded to a 
>> version of the compiler that outputs version 10.  With this version all 
>> constraints on both netif and node have no effect on my policy.  I have 
>> done some troubleshooting by simplifying the personalized policy to the 
>> point that now I am only looking at the following constraint:
>>
>> constrain netif { dccp_recv dccp_send egress ingress rawip_recv 
>> rawip_send tcp_send tcp_recv udp_send udp_recv }
>>
>> (
>> 	t1 == can_access_internet and r1 == standard_r
>> );
>>
>> I had previously been able to successfully constrain Eth0, as well as 
>> several nodes I had defined.  One of these constraints was for an rdc 
>> connection to a company server (used on a "work" user account), which 
>> was restricted to one ip address; and another was for my young son, to 
>> keep him limited to his "pbs kids" site.  This is the primary reason I 
>> have used SELinux, although I am sure the other protections have been 
>> helpful as well.
>> I have already upgraded the policy to the most recent reference policy 
>> in an effort to resolve the issue.  The only result was additional 
>> difficulties which were the result of labeling changes in the policy. 
>> After resolving those difficulties, I am back to my original problem.
>> I am wondering what changes have been made in the policy compiler that 
>> could cause this change in behavior, and how I need to modify my policy 
>> in order to get the node and netif based constraints working again.  If 
>> anyone has any ideas that would help my to resolve the problem I would 
>> appreciate it.
> 
> It isn't the policy compiler but rather the kernel permission checks
> that have changed.
> http://paulmoore.livejournal.com/4281.html
> 
> Your options are to use secmark or to use the newer ingress/egress
> checks, but note that using either requires additional configuration
> (iptables for secmark, labeled networking for ingress/egress).
> 

Thank you.  I have only glanced at the info in the article(s), but it 
looks like it will be very helpful.  It also looks like it will be 
easier to manage any changes I might need to make than it used to be.

-Ken-