* Re: [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys [not found] <1511791439-15957-1-git-send-email-danielj@mellanox.com> @ 2017-11-27 16:17 ` Paul Moore 2017-11-27 16:19 ` [refpolicy] " Paul Moore 1 sibling, 0 replies; 9+ messages in thread From: Paul Moore @ 2017-11-27 16:17 UTC (permalink / raw) To: Dan Jurgens, selinux; +Cc: pebenito, refpolicy, honli On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote: > From: Daniel Jurgens <danielj@mellanox.com> > > For controlling IPoIB VLANs > > Reported-by: Honggang LI <honli@redhat.com> > Signed-off-by: Daniel Jurgens <danielj@mellanox.com> > Tested-by: Honggang LI <honli@redhat.com> > --- > networkmanager.te | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) We obviously need something like this now so we don't break IPoIB, but I wonder if we should make the IB access controls dynamic like the per-packet network access controls. We could key off the presence of the IB pkey and endport definitions: if there are any objects defined in the loaded policy we enable the controls, otherwise we disable them. > diff --git a/networkmanager.te b/networkmanager.te > index 76d0106..5e881f4 100644 > --- a/networkmanager.te > +++ b/networkmanager.te > @@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t) > userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) > userdom_dontaudit_use_user_ttys(NetworkManager_t) > > +corenet_ib_access_unlabeled_pkeys(NetworkManager_t) > + > optional_policy(` > avahi_domtrans(NetworkManager_t) > avahi_kill(NetworkManager_t) > -- > 1.7.1 -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys [not found] <1511791439-15957-1-git-send-email-danielj@mellanox.com> @ 2017-11-27 16:19 ` Paul Moore 2017-11-27 16:19 ` [refpolicy] " Paul Moore 1 sibling, 0 replies; 9+ messages in thread From: Paul Moore @ 2017-11-27 16:19 UTC (permalink / raw) To: Dan Jurgens, selinux; +Cc: pebenito, honli, refpolicy On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote: > From: Daniel Jurgens <danielj@mellanox.com> > > For controlling IPoIB VLANs > > Reported-by: Honggang LI <honli@redhat.com> > Signed-off-by: Daniel Jurgens <danielj@mellanox.com> > Tested-by: Honggang LI <honli@redhat.com> > --- > networkmanager.te | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) [NOTE: resending due to a typo in the refpol mailing list address] We obviously need something like this now so we don't break IPoIB, but I wonder if we should make the IB access controls dynamic like the per-packet network access controls. We could key off the presence of the IB pkey and endport definitions: if there are any objects defined in the loaded policy we enable the controls, otherwise we disable them. > diff --git a/networkmanager.te b/networkmanager.te > index 76d0106..5e881f4 100644 > --- a/networkmanager.te > +++ b/networkmanager.te > @@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t) > userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) > userdom_dontaudit_use_user_ttys(NetworkManager_t) > > +corenet_ib_access_unlabeled_pkeys(NetworkManager_t) > + > optional_policy(` > avahi_domtrans(NetworkManager_t) > avahi_kill(NetworkManager_t) > -- > 1.7.1 -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys @ 2017-11-27 16:19 ` Paul Moore 0 siblings, 0 replies; 9+ messages in thread From: Paul Moore @ 2017-11-27 16:19 UTC (permalink / raw) To: refpolicy On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote: > From: Daniel Jurgens <danielj@mellanox.com> > > For controlling IPoIB VLANs > > Reported-by: Honggang LI <honli@redhat.com> > Signed-off-by: Daniel Jurgens <danielj@mellanox.com> > Tested-by: Honggang LI <honli@redhat.com> > --- > networkmanager.te | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) [NOTE: resending due to a typo in the refpol mailing list address] We obviously need something like this now so we don't break IPoIB, but I wonder if we should make the IB access controls dynamic like the per-packet network access controls. We could key off the presence of the IB pkey and endport definitions: if there are any objects defined in the loaded policy we enable the controls, otherwise we disable them. > diff --git a/networkmanager.te b/networkmanager.te > index 76d0106..5e881f4 100644 > --- a/networkmanager.te > +++ b/networkmanager.te > @@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t) > userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) > userdom_dontaudit_use_user_ttys(NetworkManager_t) > > +corenet_ib_access_unlabeled_pkeys(NetworkManager_t) > + > optional_policy(` > avahi_domtrans(NetworkManager_t) > avahi_kill(NetworkManager_t) > -- > 1.7.1 -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys 2017-11-27 16:19 ` [refpolicy] " Paul Moore @ 2017-11-27 20:04 ` Daniel Jurgens -1 siblings, 0 replies; 9+ messages in thread From: Daniel Jurgens @ 2017-11-27 20:04 UTC (permalink / raw) To: Paul Moore, selinux; +Cc: pebenito, honli, refpolicy On 11/27/2017 10:19 AM, Paul Moore wrote: > On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote: >> From: Daniel Jurgens <danielj@mellanox.com> >> >> For controlling IPoIB VLANs >> >> Reported-by: Honggang LI <honli@redhat.com> >> Signed-off-by: Daniel Jurgens <danielj@mellanox.com> >> Tested-by: Honggang LI <honli@redhat.com> >> --- >> networkmanager.te | 2 ++ >> 1 files changed, 2 insertions(+), 0 deletions(-) > [NOTE: resending due to a typo in the refpol mailing list address] > > We obviously need something like this now so we don't break IPoIB, but > I wonder if we should make the IB access controls dynamic like the > per-packet network access controls. We could key off the presence of > the IB pkey and endport definitions: if there are any objects defined > in the loaded policy we enable the controls, otherwise we disable > them. I think I understand what you're saying Paul, but I'm not clear on the mechanism. Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled. > >> diff --git a/networkmanager.te b/networkmanager.te >> index 76d0106..5e881f4 100644 >> --- a/networkmanager.te >> +++ b/networkmanager.te >> @@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t) >> userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) >> userdom_dontaudit_use_user_ttys(NetworkManager_t) >> >> +corenet_ib_access_unlabeled_pkeys(NetworkManager_t) >> + >> optional_policy(` >> avahi_domtrans(NetworkManager_t) >> avahi_kill(NetworkManager_t) >> -- >> 1.7.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys @ 2017-11-27 20:04 ` Daniel Jurgens 0 siblings, 0 replies; 9+ messages in thread From: Daniel Jurgens @ 2017-11-27 20:04 UTC (permalink / raw) To: refpolicy On 11/27/2017 10:19 AM, Paul Moore wrote: > On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote: >> From: Daniel Jurgens <danielj@mellanox.com> >> >> For controlling IPoIB VLANs >> >> Reported-by: Honggang LI <honli@redhat.com> >> Signed-off-by: Daniel Jurgens <danielj@mellanox.com> >> Tested-by: Honggang LI <honli@redhat.com> >> --- >> networkmanager.te | 2 ++ >> 1 files changed, 2 insertions(+), 0 deletions(-) > [NOTE: resending due to a typo in the refpol mailing list address] > > We obviously need something like this now so we don't break IPoIB, but > I wonder if we should make the IB access controls dynamic like the > per-packet network access controls. We could key off the presence of > the IB pkey and endport definitions: if there are any objects defined > in the loaded policy we enable the controls, otherwise we disable > them. I think I understand what you're saying Paul, but I'm not clear on the mechanism.? Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled. > >> diff --git a/networkmanager.te b/networkmanager.te >> index 76d0106..5e881f4 100644 >> --- a/networkmanager.te >> +++ b/networkmanager.te >> @@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t) >> userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) >> userdom_dontaudit_use_user_ttys(NetworkManager_t) >> >> +corenet_ib_access_unlabeled_pkeys(NetworkManager_t) >> + >> optional_policy(` >> avahi_domtrans(NetworkManager_t) >> avahi_kill(NetworkManager_t) >> -- >> 1.7.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys 2017-11-27 20:04 ` [refpolicy] " Daniel Jurgens @ 2017-11-27 22:50 ` Paul Moore -1 siblings, 0 replies; 9+ messages in thread From: Paul Moore @ 2017-11-27 22:50 UTC (permalink / raw) To: Daniel Jurgens; +Cc: selinux, pebenito, honli, refpolicy On Mon, Nov 27, 2017 at 3:04 PM, Daniel Jurgens <danielj@mellanox.com> wrote: > On 11/27/2017 10:19 AM, Paul Moore wrote: >> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote: >>> From: Daniel Jurgens <danielj@mellanox.com> >>> >>> For controlling IPoIB VLANs >>> >>> Reported-by: Honggang LI <honli@redhat.com> >>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com> >>> Tested-by: Honggang LI <honli@redhat.com> >>> --- >>> networkmanager.te | 2 ++ >>> 1 files changed, 2 insertions(+), 0 deletions(-) >> [NOTE: resending due to a typo in the refpol mailing list address] >> >> We obviously need something like this now so we don't break IPoIB, but >> I wonder if we should make the IB access controls dynamic like the >> per-packet network access controls. We could key off the presence of >> the IB pkey and endport definitions: if there are any objects defined >> in the loaded policy we enable the controls, otherwise we disable >> them. > > I think I understand what you're saying Paul, but I'm not clear on the mechanism. Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled. Basically, yes. We could add a new variable/function that gates the access control checks in selinux_ib_pkey_access() and selinux_ib_endport_manage_subnet(); the checks would be enabled when there was Infiniband configuration loaded with the policy. Without the IB config loaded, all the checks would end up being just a domain check against unlabeled_t, which isn't very interesting, so we would just drop the checks. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys @ 2017-11-27 22:50 ` Paul Moore 0 siblings, 0 replies; 9+ messages in thread From: Paul Moore @ 2017-11-27 22:50 UTC (permalink / raw) To: refpolicy On Mon, Nov 27, 2017 at 3:04 PM, Daniel Jurgens <danielj@mellanox.com> wrote: > On 11/27/2017 10:19 AM, Paul Moore wrote: >> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote: >>> From: Daniel Jurgens <danielj@mellanox.com> >>> >>> For controlling IPoIB VLANs >>> >>> Reported-by: Honggang LI <honli@redhat.com> >>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com> >>> Tested-by: Honggang LI <honli@redhat.com> >>> --- >>> networkmanager.te | 2 ++ >>> 1 files changed, 2 insertions(+), 0 deletions(-) >> [NOTE: resending due to a typo in the refpol mailing list address] >> >> We obviously need something like this now so we don't break IPoIB, but >> I wonder if we should make the IB access controls dynamic like the >> per-packet network access controls. We could key off the presence of >> the IB pkey and endport definitions: if there are any objects defined >> in the loaded policy we enable the controls, otherwise we disable >> them. > > I think I understand what you're saying Paul, but I'm not clear on the mechanism. Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled. Basically, yes. We could add a new variable/function that gates the access control checks in selinux_ib_pkey_access() and selinux_ib_endport_manage_subnet(); the checks would be enabled when there was Infiniband configuration loaded with the policy. Without the IB config loaded, all the checks would end up being just a domain check against unlabeled_t, which isn't very interesting, so we would just drop the checks. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys 2017-11-27 22:50 ` [refpolicy] " Paul Moore @ 2017-11-29 1:25 ` Chris PeBenito -1 siblings, 0 replies; 9+ messages in thread From: Chris PeBenito @ 2017-11-29 1:25 UTC (permalink / raw) To: Paul Moore, Daniel Jurgens; +Cc: selinux, honli, refpolicy On 11/27/2017 05:50 PM, Paul Moore wrote: > On Mon, Nov 27, 2017 at 3:04 PM, Daniel Jurgens <danielj@mellanox.com> wrote: >> On 11/27/2017 10:19 AM, Paul Moore wrote: >>> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote: >>>> From: Daniel Jurgens <danielj@mellanox.com> >>>> >>>> For controlling IPoIB VLANs >>>> >>>> Reported-by: Honggang LI <honli@redhat.com> >>>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com> >>>> Tested-by: Honggang LI <honli@redhat.com> >>>> --- >>>> networkmanager.te | 2 ++ >>>> 1 files changed, 2 insertions(+), 0 deletions(-) >>> [NOTE: resending due to a typo in the refpol mailing list address] >>> >>> We obviously need something like this now so we don't break IPoIB, but >>> I wonder if we should make the IB access controls dynamic like the >>> per-packet network access controls. We could key off the presence of >>> the IB pkey and endport definitions: if there are any objects defined >>> in the loaded policy we enable the controls, otherwise we disable >>> them. >> >> I think I understand what you're saying Paul, but I'm not clear on the mechanism. Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled. > > Basically, yes. We could add a new variable/function that gates the > access control checks in selinux_ib_pkey_access() and > selinux_ib_endport_manage_subnet(); the checks would be enabled when > there was Infiniband configuration loaded with the policy. Without > the IB config loaded, all the checks would end up being just a domain > check against unlabeled_t, which isn't very interesting, so we would > just drop the checks. As long as it also respects policycap always_check_network, it works for me. -- Chris PeBenito ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys @ 2017-11-29 1:25 ` Chris PeBenito 0 siblings, 0 replies; 9+ messages in thread From: Chris PeBenito @ 2017-11-29 1:25 UTC (permalink / raw) To: refpolicy On 11/27/2017 05:50 PM, Paul Moore wrote: > On Mon, Nov 27, 2017 at 3:04 PM, Daniel Jurgens <danielj@mellanox.com> wrote: >> On 11/27/2017 10:19 AM, Paul Moore wrote: >>> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote: >>>> From: Daniel Jurgens <danielj@mellanox.com> >>>> >>>> For controlling IPoIB VLANs >>>> >>>> Reported-by: Honggang LI <honli@redhat.com> >>>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com> >>>> Tested-by: Honggang LI <honli@redhat.com> >>>> --- >>>> networkmanager.te | 2 ++ >>>> 1 files changed, 2 insertions(+), 0 deletions(-) >>> [NOTE: resending due to a typo in the refpol mailing list address] >>> >>> We obviously need something like this now so we don't break IPoIB, but >>> I wonder if we should make the IB access controls dynamic like the >>> per-packet network access controls. We could key off the presence of >>> the IB pkey and endport definitions: if there are any objects defined >>> in the loaded policy we enable the controls, otherwise we disable >>> them. >> >> I think I understand what you're saying Paul, but I'm not clear on the mechanism. Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled. > > Basically, yes. We could add a new variable/function that gates the > access control checks in selinux_ib_pkey_access() and > selinux_ib_endport_manage_subnet(); the checks would be enabled when > there was Infiniband configuration loaded with the policy. Without > the IB config loaded, all the checks would end up being just a domain > check against unlabeled_t, which isn't very interesting, so we would > just drop the checks. As long as it also respects policycap always_check_network, it works for me. -- Chris PeBenito ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2017-11-29 1:49 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <1511791439-15957-1-git-send-email-danielj@mellanox.com> 2017-11-27 16:17 ` [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys Paul Moore 2017-11-27 16:19 ` Paul Moore 2017-11-27 16:19 ` [refpolicy] " Paul Moore 2017-11-27 20:04 ` Daniel Jurgens 2017-11-27 20:04 ` [refpolicy] " Daniel Jurgens 2017-11-27 22:50 ` Paul Moore 2017-11-27 22:50 ` [refpolicy] " Paul Moore 2017-11-29 1:25 ` Chris PeBenito 2017-11-29 1:25 ` [refpolicy] " Chris PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.