Re: [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys

All of lore.kernel.org
 help / color / mirror / Atom feed

* Re: [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys
       [not found] <1511791439-15957-1-git-send-email-danielj@mellanox.com>
@ 2017-11-27 16:17 ` Paul Moore
  2017-11-27 16:19   ` [refpolicy] " Paul Moore
  1 sibling, 0 replies; 9+ messages in thread
From: Paul Moore @ 2017-11-27 16:17 UTC (permalink / raw)
  To: Dan Jurgens, selinux; +Cc: pebenito, refpolicy, honli

On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote:
> From: Daniel Jurgens <danielj@mellanox.com>
>
> For controlling IPoIB VLANs
>
> Reported-by: Honggang LI <honli@redhat.com>
> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
> Tested-by: Honggang LI <honli@redhat.com>
> ---
>  networkmanager.te |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)

We obviously need something like this now so we don't break IPoIB, but
I wonder if we should make the IB access controls dynamic like the
per-packet network access controls.  We could key off the presence of
the IB pkey and endport definitions: if there are any objects defined
in the loaded policy we enable the controls, otherwise we disable
them.

> diff --git a/networkmanager.te b/networkmanager.te
> index 76d0106..5e881f4 100644
> --- a/networkmanager.te
> +++ b/networkmanager.te
> @@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t)
>  userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
>  userdom_dontaudit_use_user_ttys(NetworkManager_t)
>
> +corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
> +
>  optional_policy(`
>         avahi_domtrans(NetworkManager_t)
>         avahi_kill(NetworkManager_t)
> --
> 1.7.1

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys
       [not found] <1511791439-15957-1-git-send-email-danielj@mellanox.com>
@ 2017-11-27 16:19   ` Paul Moore
  2017-11-27 16:19   ` [refpolicy] " Paul Moore
  1 sibling, 0 replies; 9+ messages in thread
From: Paul Moore @ 2017-11-27 16:19 UTC (permalink / raw)
  To: Dan Jurgens, selinux; +Cc: pebenito, honli, refpolicy

On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote:
> From: Daniel Jurgens <danielj@mellanox.com>
>
> For controlling IPoIB VLANs
>
> Reported-by: Honggang LI <honli@redhat.com>
> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
> Tested-by: Honggang LI <honli@redhat.com>
> ---
>  networkmanager.te |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)

[NOTE: resending due to a typo in the refpol mailing list address]

We obviously need something like this now so we don't break IPoIB, but
I wonder if we should make the IB access controls dynamic like the
per-packet network access controls.  We could key off the presence of
the IB pkey and endport definitions: if there are any objects defined
in the loaded policy we enable the controls, otherwise we disable
them.

> diff --git a/networkmanager.te b/networkmanager.te
> index 76d0106..5e881f4 100644
> --- a/networkmanager.te
> +++ b/networkmanager.te
> @@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t)
>  userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
>  userdom_dontaudit_use_user_ttys(NetworkManager_t)
>
> +corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
> +
>  optional_policy(`
>         avahi_domtrans(NetworkManager_t)
>         avahi_kill(NetworkManager_t)
> --
> 1.7.1

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [refpolicy] [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys
@ 2017-11-27 16:19   ` Paul Moore
  0 siblings, 0 replies; 9+ messages in thread
From: Paul Moore @ 2017-11-27 16:19 UTC (permalink / raw)
  To: refpolicy

On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote:
> From: Daniel Jurgens <danielj@mellanox.com>
>
> For controlling IPoIB VLANs
>
> Reported-by: Honggang LI <honli@redhat.com>
> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
> Tested-by: Honggang LI <honli@redhat.com>
> ---
>  networkmanager.te |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)

[NOTE: resending due to a typo in the refpol mailing list address]

We obviously need something like this now so we don't break IPoIB, but
I wonder if we should make the IB access controls dynamic like the
per-packet network access controls.  We could key off the presence of
the IB pkey and endport definitions: if there are any objects defined
in the loaded policy we enable the controls, otherwise we disable
them.

> diff --git a/networkmanager.te b/networkmanager.te
> index 76d0106..5e881f4 100644
> --- a/networkmanager.te
> +++ b/networkmanager.te
> @@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t)
>  userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
>  userdom_dontaudit_use_user_ttys(NetworkManager_t)
>
> +corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
> +
>  optional_policy(`
>         avahi_domtrans(NetworkManager_t)
>         avahi_kill(NetworkManager_t)
> --
> 1.7.1

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys
  2017-11-27 16:19   ` [refpolicy] " Paul Moore
@ 2017-11-27 20:04     ` Daniel Jurgens
  -1 siblings, 0 replies; 9+ messages in thread
From: Daniel Jurgens @ 2017-11-27 20:04 UTC (permalink / raw)
  To: Paul Moore, selinux; +Cc: pebenito, honli, refpolicy

On 11/27/2017 10:19 AM, Paul Moore wrote:
> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote:
>> From: Daniel Jurgens <danielj@mellanox.com>
>>
>> For controlling IPoIB VLANs
>>
>> Reported-by: Honggang LI <honli@redhat.com>
>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
>> Tested-by: Honggang LI <honli@redhat.com>
>> ---
>>  networkmanager.te |    2 ++
>>  1 files changed, 2 insertions(+), 0 deletions(-)
> [NOTE: resending due to a typo in the refpol mailing list address]
>
> We obviously need something like this now so we don't break IPoIB, but
> I wonder if we should make the IB access controls dynamic like the
> per-packet network access controls.  We could key off the presence of
> the IB pkey and endport definitions: if there are any objects defined
> in the loaded policy we enable the controls, otherwise we disable
> them.

I think I understand what you're saying Paul, but I'm not clear on the mechanism.  Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled.

>
>> diff --git a/networkmanager.te b/networkmanager.te
>> index 76d0106..5e881f4 100644
>> --- a/networkmanager.te
>> +++ b/networkmanager.te
>> @@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t)
>>  userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
>>  userdom_dontaudit_use_user_ttys(NetworkManager_t)
>>
>> +corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
>> +
>>  optional_policy(`
>>         avahi_domtrans(NetworkManager_t)
>>         avahi_kill(NetworkManager_t)
>> --
>> 1.7.1

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [refpolicy] [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys
@ 2017-11-27 20:04     ` Daniel Jurgens
  0 siblings, 0 replies; 9+ messages in thread
From: Daniel Jurgens @ 2017-11-27 20:04 UTC (permalink / raw)
  To: refpolicy

On 11/27/2017 10:19 AM, Paul Moore wrote:
> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote:
>> From: Daniel Jurgens <danielj@mellanox.com>
>>
>> For controlling IPoIB VLANs
>>
>> Reported-by: Honggang LI <honli@redhat.com>
>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
>> Tested-by: Honggang LI <honli@redhat.com>
>> ---
>>  networkmanager.te |    2 ++
>>  1 files changed, 2 insertions(+), 0 deletions(-)
> [NOTE: resending due to a typo in the refpol mailing list address]
>
> We obviously need something like this now so we don't break IPoIB, but
> I wonder if we should make the IB access controls dynamic like the
> per-packet network access controls.  We could key off the presence of
> the IB pkey and endport definitions: if there are any objects defined
> in the loaded policy we enable the controls, otherwise we disable
> them.

I think I understand what you're saying Paul, but I'm not clear on the mechanism.? Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled.

>
>> diff --git a/networkmanager.te b/networkmanager.te
>> index 76d0106..5e881f4 100644
>> --- a/networkmanager.te
>> +++ b/networkmanager.te
>> @@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t)
>>  userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
>>  userdom_dontaudit_use_user_ttys(NetworkManager_t)
>>
>> +corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
>> +
>>  optional_policy(`
>>         avahi_domtrans(NetworkManager_t)
>>         avahi_kill(NetworkManager_t)
>> --
>> 1.7.1

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys
  2017-11-27 20:04     ` [refpolicy] " Daniel Jurgens
@ 2017-11-27 22:50       ` Paul Moore
  -1 siblings, 0 replies; 9+ messages in thread
From: Paul Moore @ 2017-11-27 22:50 UTC (permalink / raw)
  To: Daniel Jurgens; +Cc: selinux, pebenito, honli, refpolicy

On Mon, Nov 27, 2017 at 3:04 PM, Daniel Jurgens <danielj@mellanox.com> wrote:
> On 11/27/2017 10:19 AM, Paul Moore wrote:
>> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote:
>>> From: Daniel Jurgens <danielj@mellanox.com>
>>>
>>> For controlling IPoIB VLANs
>>>
>>> Reported-by: Honggang LI <honli@redhat.com>
>>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
>>> Tested-by: Honggang LI <honli@redhat.com>
>>> ---
>>>  networkmanager.te |    2 ++
>>>  1 files changed, 2 insertions(+), 0 deletions(-)
>> [NOTE: resending due to a typo in the refpol mailing list address]
>>
>> We obviously need something like this now so we don't break IPoIB, but
>> I wonder if we should make the IB access controls dynamic like the
>> per-packet network access controls.  We could key off the presence of
>> the IB pkey and endport definitions: if there are any objects defined
>> in the loaded policy we enable the controls, otherwise we disable
>> them.
>
> I think I understand what you're saying Paul, but I'm not clear on the mechanism.  Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled.

Basically, yes.  We could add a new variable/function that gates the
access control checks in selinux_ib_pkey_access() and
selinux_ib_endport_manage_subnet(); the checks would be enabled when
there was Infiniband configuration loaded with the policy.  Without
the IB config loaded, all the checks would end up being just a domain
check against unlabeled_t, which isn't very interesting, so we would
just drop the checks.

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [refpolicy] [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys
@ 2017-11-27 22:50       ` Paul Moore
  0 siblings, 0 replies; 9+ messages in thread
From: Paul Moore @ 2017-11-27 22:50 UTC (permalink / raw)
  To: refpolicy

On Mon, Nov 27, 2017 at 3:04 PM, Daniel Jurgens <danielj@mellanox.com> wrote:
> On 11/27/2017 10:19 AM, Paul Moore wrote:
>> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote:
>>> From: Daniel Jurgens <danielj@mellanox.com>
>>>
>>> For controlling IPoIB VLANs
>>>
>>> Reported-by: Honggang LI <honli@redhat.com>
>>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
>>> Tested-by: Honggang LI <honli@redhat.com>
>>> ---
>>>  networkmanager.te |    2 ++
>>>  1 files changed, 2 insertions(+), 0 deletions(-)
>> [NOTE: resending due to a typo in the refpol mailing list address]
>>
>> We obviously need something like this now so we don't break IPoIB, but
>> I wonder if we should make the IB access controls dynamic like the
>> per-packet network access controls.  We could key off the presence of
>> the IB pkey and endport definitions: if there are any objects defined
>> in the loaded policy we enable the controls, otherwise we disable
>> them.
>
> I think I understand what you're saying Paul, but I'm not clear on the mechanism.  Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled.

Basically, yes.  We could add a new variable/function that gates the
access control checks in selinux_ib_pkey_access() and
selinux_ib_endport_manage_subnet(); the checks would be enabled when
there was Infiniband configuration loaded with the policy.  Without
the IB config loaded, all the checks would end up being just a domain
check against unlabeled_t, which isn't very interesting, so we would
just drop the checks.

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys
  2017-11-27 22:50       ` [refpolicy] " Paul Moore
@ 2017-11-29  1:25         ` Chris PeBenito
  -1 siblings, 0 replies; 9+ messages in thread
From: Chris PeBenito @ 2017-11-29  1:25 UTC (permalink / raw)
  To: Paul Moore, Daniel Jurgens; +Cc: selinux, honli, refpolicy

On 11/27/2017 05:50 PM, Paul Moore wrote:
> On Mon, Nov 27, 2017 at 3:04 PM, Daniel Jurgens <danielj@mellanox.com> wrote:
>> On 11/27/2017 10:19 AM, Paul Moore wrote:
>>> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote:
>>>> From: Daniel Jurgens <danielj@mellanox.com>
>>>>
>>>> For controlling IPoIB VLANs
>>>>
>>>> Reported-by: Honggang LI <honli@redhat.com>
>>>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
>>>> Tested-by: Honggang LI <honli@redhat.com>
>>>> ---
>>>>   networkmanager.te |    2 ++
>>>>   1 files changed, 2 insertions(+), 0 deletions(-)
>>> [NOTE: resending due to a typo in the refpol mailing list address]
>>>
>>> We obviously need something like this now so we don't break IPoIB, but
>>> I wonder if we should make the IB access controls dynamic like the
>>> per-packet network access controls.  We could key off the presence of
>>> the IB pkey and endport definitions: if there are any objects defined
>>> in the loaded policy we enable the controls, otherwise we disable
>>> them.
>>
>> I think I understand what you're saying Paul, but I'm not clear on the mechanism.  Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled.
> 
> Basically, yes.  We could add a new variable/function that gates the
> access control checks in selinux_ib_pkey_access() and
> selinux_ib_endport_manage_subnet(); the checks would be enabled when
> there was Infiniband configuration loaded with the policy.  Without
> the IB config loaded, all the checks would end up being just a domain
> check against unlabeled_t, which isn't very interesting, so we would
> just drop the checks.

As long as it also respects policycap always_check_network, it works for me.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [refpolicy] [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys
@ 2017-11-29  1:25         ` Chris PeBenito
  0 siblings, 0 replies; 9+ messages in thread
From: Chris PeBenito @ 2017-11-29  1:25 UTC (permalink / raw)
  To: refpolicy

On 11/27/2017 05:50 PM, Paul Moore wrote:
> On Mon, Nov 27, 2017 at 3:04 PM, Daniel Jurgens <danielj@mellanox.com> wrote:
>> On 11/27/2017 10:19 AM, Paul Moore wrote:
>>> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote:
>>>> From: Daniel Jurgens <danielj@mellanox.com>
>>>>
>>>> For controlling IPoIB VLANs
>>>>
>>>> Reported-by: Honggang LI <honli@redhat.com>
>>>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
>>>> Tested-by: Honggang LI <honli@redhat.com>
>>>> ---
>>>>   networkmanager.te |    2 ++
>>>>   1 files changed, 2 insertions(+), 0 deletions(-)
>>> [NOTE: resending due to a typo in the refpol mailing list address]
>>>
>>> We obviously need something like this now so we don't break IPoIB, but
>>> I wonder if we should make the IB access controls dynamic like the
>>> per-packet network access controls.  We could key off the presence of
>>> the IB pkey and endport definitions: if there are any objects defined
>>> in the loaded policy we enable the controls, otherwise we disable
>>> them.
>>
>> I think I understand what you're saying Paul, but I'm not clear on the mechanism.  Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled.
> 
> Basically, yes.  We could add a new variable/function that gates the
> access control checks in selinux_ib_pkey_access() and
> selinux_ib_endport_manage_subnet(); the checks would be enabled when
> there was Infiniband configuration loaded with the policy.  Without
> the IB config loaded, all the checks would end up being just a domain
> check against unlabeled_t, which isn't very interesting, so we would
> just drop the checks.

As long as it also respects policycap always_check_network, it works for me.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2017-11-29  1:49 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <1511791439-15957-1-git-send-email-danielj@mellanox.com>
2017-11-27 16:17 ` [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys Paul Moore
2017-11-27 16:19 ` Paul Moore
2017-11-27 16:19   ` [refpolicy] " Paul Moore
2017-11-27 20:04   ` Daniel Jurgens
2017-11-27 20:04     ` [refpolicy] " Daniel Jurgens
2017-11-27 22:50     ` Paul Moore
2017-11-27 22:50       ` [refpolicy] " Paul Moore
2017-11-29  1:25       ` Chris PeBenito
2017-11-29  1:25         ` [refpolicy] " Chris PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.