Constraints on netif and nodes no longer working after upgrading policy compiler
Mantaray
mantaray_1 at cox.net
Mon Jan 11 20:16:28 UTC 2010
Stephen Smalley wrote:
> On Fri, 2010-01-08 at 17:13 -0700, Mantaray wrote:
>> Hello,
>>
>> I have been using the same policy, which I have customized, for a few
>> years now. When I upgrade my OS (I believe I originally developed the
>> policy on Fedora 6) I use the same policy and compile it with the new
>> compiler. The message from checkpolicy when I started using this policy
>> was that the binary representation was version 6. I upgraded to version
>> 7 and version 8 without any difficulties. I have recently upgraded to a
>> version of the compiler that outputs version 10. With this version all
>> constraints on both netif and node have no effect on my policy. I have
>> done some troubleshooting by simplifying the personalized policy to the
>> point that now I am only looking at the following constraint:
>>
>> constrain netif { dccp_recv dccp_send egress ingress rawip_recv
>> rawip_send tcp_send tcp_recv udp_send udp_recv }
>>
>> (
>> t1 == can_access_internet and r1 == standard_r
>> );
>>
>> I had previously been able to successfully constrain Eth0, as well as
>> several nodes I had defined. One of these constraints was for an rdc
>> connection to a company server (used on a "work" user account), which
>> was restricted to one ip address; and another was for my young son, to
>> keep him limited to his "pbs kids" site. This is the primary reason I
>> have used SELinux, although I am sure the other protections have been
>> helpful as well.
>> I have already upgraded the policy to the most recent reference policy
>> in an effort to resolve the issue. The only result was additional
>> difficulties which were the result of labeling changes in the policy.
>> After resolving those difficulties, I am back to my original problem.
>> I am wondering what changes have been made in the policy compiler that
>> could cause this change in behavior, and how I need to modify my policy
>> in order to get the node and netif based constraints working again. If
>> anyone has any ideas that would help my to resolve the problem I would
>> appreciate it.
>
> It isn't the policy compiler but rather the kernel permission checks
> that have changed.
> http://paulmoore.livejournal.com/4281.html
>
> Your options are to use secmark or to use the newer ingress/egress
> checks, but note that using either requires additional configuration
> (iptables for secmark, labeled networking for ingress/egress).
>
Thank you. I have only glanced at the info in the article(s), but it
looks like it will be very helpful. It also looks like it will be
easier to manage any changes I might need to make than it used to be.
-Ken-
More information about the selinux
mailing list