* Re: [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys
[not found] <1511791439-15957-1-git-send-email-danielj@mellanox.com>
@ 2017-11-27 16:17 ` Paul Moore
2017-11-27 16:19 ` [refpolicy] " Paul Moore
1 sibling, 0 replies; 9+ messages in thread
From: Paul Moore @ 2017-11-27 16:17 UTC (permalink / raw)
To: Dan Jurgens, selinux; +Cc: pebenito, refpolicy, honli
On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote:
> From: Daniel Jurgens <danielj@mellanox.com>
>
> For controlling IPoIB VLANs
>
> Reported-by: Honggang LI <honli@redhat.com>
> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
> Tested-by: Honggang LI <honli@redhat.com>
> ---
> networkmanager.te | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
We obviously need something like this now so we don't break IPoIB, but
I wonder if we should make the IB access controls dynamic like the
per-packet network access controls. We could key off the presence of
the IB pkey and endport definitions: if there are any objects defined
in the loaded policy we enable the controls, otherwise we disable
them.
> diff --git a/networkmanager.te b/networkmanager.te
> index 76d0106..5e881f4 100644
> --- a/networkmanager.te
> +++ b/networkmanager.te
> @@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t)
> userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
> userdom_dontaudit_use_user_ttys(NetworkManager_t)
>
> +corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
> +
> optional_policy(`
> avahi_domtrans(NetworkManager_t)
> avahi_kill(NetworkManager_t)
> --
> 1.7.1
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys
[not found] <1511791439-15957-1-git-send-email-danielj@mellanox.com>
@ 2017-11-27 16:19 ` Paul Moore
2017-11-27 16:19 ` [refpolicy] " Paul Moore
1 sibling, 0 replies; 9+ messages in thread
From: Paul Moore @ 2017-11-27 16:19 UTC (permalink / raw)
To: Dan Jurgens, selinux; +Cc: pebenito, honli, refpolicy
On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote:
> From: Daniel Jurgens <danielj@mellanox.com>
>
> For controlling IPoIB VLANs
>
> Reported-by: Honggang LI <honli@redhat.com>
> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
> Tested-by: Honggang LI <honli@redhat.com>
> ---
> networkmanager.te | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
[NOTE: resending due to a typo in the refpol mailing list address]
We obviously need something like this now so we don't break IPoIB, but
I wonder if we should make the IB access controls dynamic like the
per-packet network access controls. We could key off the presence of
the IB pkey and endport definitions: if there are any objects defined
in the loaded policy we enable the controls, otherwise we disable
them.
> diff --git a/networkmanager.te b/networkmanager.te
> index 76d0106..5e881f4 100644
> --- a/networkmanager.te
> +++ b/networkmanager.te
> @@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t)
> userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
> userdom_dontaudit_use_user_ttys(NetworkManager_t)
>
> +corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
> +
> optional_policy(`
> avahi_domtrans(NetworkManager_t)
> avahi_kill(NetworkManager_t)
> --
> 1.7.1
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys
@ 2017-11-27 16:19 ` Paul Moore
0 siblings, 0 replies; 9+ messages in thread
From: Paul Moore @ 2017-11-27 16:19 UTC (permalink / raw)
To: refpolicy
On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote:
> From: Daniel Jurgens <danielj@mellanox.com>
>
> For controlling IPoIB VLANs
>
> Reported-by: Honggang LI <honli@redhat.com>
> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
> Tested-by: Honggang LI <honli@redhat.com>
> ---
> networkmanager.te | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
[NOTE: resending due to a typo in the refpol mailing list address]
We obviously need something like this now so we don't break IPoIB, but
I wonder if we should make the IB access controls dynamic like the
per-packet network access controls. We could key off the presence of
the IB pkey and endport definitions: if there are any objects defined
in the loaded policy we enable the controls, otherwise we disable
them.
> diff --git a/networkmanager.te b/networkmanager.te
> index 76d0106..5e881f4 100644
> --- a/networkmanager.te
> +++ b/networkmanager.te
> @@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t)
> userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
> userdom_dontaudit_use_user_ttys(NetworkManager_t)
>
> +corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
> +
> optional_policy(`
> avahi_domtrans(NetworkManager_t)
> avahi_kill(NetworkManager_t)
> --
> 1.7.1
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys
2017-11-27 16:19 ` [refpolicy] " Paul Moore
@ 2017-11-27 20:04 ` Daniel Jurgens
-1 siblings, 0 replies; 9+ messages in thread
From: Daniel Jurgens @ 2017-11-27 20:04 UTC (permalink / raw)
To: Paul Moore, selinux; +Cc: pebenito, honli, refpolicy
On 11/27/2017 10:19 AM, Paul Moore wrote:
> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote:
>> From: Daniel Jurgens <danielj@mellanox.com>
>>
>> For controlling IPoIB VLANs
>>
>> Reported-by: Honggang LI <honli@redhat.com>
>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
>> Tested-by: Honggang LI <honli@redhat.com>
>> ---
>> networkmanager.te | 2 ++
>> 1 files changed, 2 insertions(+), 0 deletions(-)
> [NOTE: resending due to a typo in the refpol mailing list address]
>
> We obviously need something like this now so we don't break IPoIB, but
> I wonder if we should make the IB access controls dynamic like the
> per-packet network access controls. We could key off the presence of
> the IB pkey and endport definitions: if there are any objects defined
> in the loaded policy we enable the controls, otherwise we disable
> them.
I think I understand what you're saying Paul, but I'm not clear on the mechanism. Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled.
>
>> diff --git a/networkmanager.te b/networkmanager.te
>> index 76d0106..5e881f4 100644
>> --- a/networkmanager.te
>> +++ b/networkmanager.te
>> @@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t)
>> userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
>> userdom_dontaudit_use_user_ttys(NetworkManager_t)
>>
>> +corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
>> +
>> optional_policy(`
>> avahi_domtrans(NetworkManager_t)
>> avahi_kill(NetworkManager_t)
>> --
>> 1.7.1
^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys
@ 2017-11-27 20:04 ` Daniel Jurgens
0 siblings, 0 replies; 9+ messages in thread
From: Daniel Jurgens @ 2017-11-27 20:04 UTC (permalink / raw)
To: refpolicy
On 11/27/2017 10:19 AM, Paul Moore wrote:
> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote:
>> From: Daniel Jurgens <danielj@mellanox.com>
>>
>> For controlling IPoIB VLANs
>>
>> Reported-by: Honggang LI <honli@redhat.com>
>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
>> Tested-by: Honggang LI <honli@redhat.com>
>> ---
>> networkmanager.te | 2 ++
>> 1 files changed, 2 insertions(+), 0 deletions(-)
> [NOTE: resending due to a typo in the refpol mailing list address]
>
> We obviously need something like this now so we don't break IPoIB, but
> I wonder if we should make the IB access controls dynamic like the
> per-packet network access controls. We could key off the presence of
> the IB pkey and endport definitions: if there are any objects defined
> in the loaded policy we enable the controls, otherwise we disable
> them.
I think I understand what you're saying Paul, but I'm not clear on the mechanism.? Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled.
>
>> diff --git a/networkmanager.te b/networkmanager.te
>> index 76d0106..5e881f4 100644
>> --- a/networkmanager.te
>> +++ b/networkmanager.te
>> @@ -184,6 +184,8 @@ userdom_write_user_tmp_sockets(NetworkManager_t)
>> userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
>> userdom_dontaudit_use_user_ttys(NetworkManager_t)
>>
>> +corenet_ib_access_unlabeled_pkeys(NetworkManager_t)
>> +
>> optional_policy(`
>> avahi_domtrans(NetworkManager_t)
>> avahi_kill(NetworkManager_t)
>> --
>> 1.7.1
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys
2017-11-27 20:04 ` [refpolicy] " Daniel Jurgens
@ 2017-11-27 22:50 ` Paul Moore
-1 siblings, 0 replies; 9+ messages in thread
From: Paul Moore @ 2017-11-27 22:50 UTC (permalink / raw)
To: Daniel Jurgens; +Cc: selinux, pebenito, honli, refpolicy
On Mon, Nov 27, 2017 at 3:04 PM, Daniel Jurgens <danielj@mellanox.com> wrote:
> On 11/27/2017 10:19 AM, Paul Moore wrote:
>> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote:
>>> From: Daniel Jurgens <danielj@mellanox.com>
>>>
>>> For controlling IPoIB VLANs
>>>
>>> Reported-by: Honggang LI <honli@redhat.com>
>>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
>>> Tested-by: Honggang LI <honli@redhat.com>
>>> ---
>>> networkmanager.te | 2 ++
>>> 1 files changed, 2 insertions(+), 0 deletions(-)
>> [NOTE: resending due to a typo in the refpol mailing list address]
>>
>> We obviously need something like this now so we don't break IPoIB, but
>> I wonder if we should make the IB access controls dynamic like the
>> per-packet network access controls. We could key off the presence of
>> the IB pkey and endport definitions: if there are any objects defined
>> in the loaded policy we enable the controls, otherwise we disable
>> them.
>
> I think I understand what you're saying Paul, but I'm not clear on the mechanism. Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled.
Basically, yes. We could add a new variable/function that gates the
access control checks in selinux_ib_pkey_access() and
selinux_ib_endport_manage_subnet(); the checks would be enabled when
there was Infiniband configuration loaded with the policy. Without
the IB config loaded, all the checks would end up being just a domain
check against unlabeled_t, which isn't very interesting, so we would
just drop the checks.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys
@ 2017-11-27 22:50 ` Paul Moore
0 siblings, 0 replies; 9+ messages in thread
From: Paul Moore @ 2017-11-27 22:50 UTC (permalink / raw)
To: refpolicy
On Mon, Nov 27, 2017 at 3:04 PM, Daniel Jurgens <danielj@mellanox.com> wrote:
> On 11/27/2017 10:19 AM, Paul Moore wrote:
>> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote:
>>> From: Daniel Jurgens <danielj@mellanox.com>
>>>
>>> For controlling IPoIB VLANs
>>>
>>> Reported-by: Honggang LI <honli@redhat.com>
>>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
>>> Tested-by: Honggang LI <honli@redhat.com>
>>> ---
>>> networkmanager.te | 2 ++
>>> 1 files changed, 2 insertions(+), 0 deletions(-)
>> [NOTE: resending due to a typo in the refpol mailing list address]
>>
>> We obviously need something like this now so we don't break IPoIB, but
>> I wonder if we should make the IB access controls dynamic like the
>> per-packet network access controls. We could key off the presence of
>> the IB pkey and endport definitions: if there are any objects defined
>> in the loaded policy we enable the controls, otherwise we disable
>> them.
>
> I think I understand what you're saying Paul, but I'm not clear on the mechanism. Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled.
Basically, yes. We could add a new variable/function that gates the
access control checks in selinux_ib_pkey_access() and
selinux_ib_endport_manage_subnet(); the checks would be enabled when
there was Infiniband configuration loaded with the policy. Without
the IB config loaded, all the checks would end up being just a domain
check against unlabeled_t, which isn't very interesting, so we would
just drop the checks.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys
2017-11-27 22:50 ` [refpolicy] " Paul Moore
@ 2017-11-29 1:25 ` Chris PeBenito
-1 siblings, 0 replies; 9+ messages in thread
From: Chris PeBenito @ 2017-11-29 1:25 UTC (permalink / raw)
To: Paul Moore, Daniel Jurgens; +Cc: selinux, honli, refpolicy
On 11/27/2017 05:50 PM, Paul Moore wrote:
> On Mon, Nov 27, 2017 at 3:04 PM, Daniel Jurgens <danielj@mellanox.com> wrote:
>> On 11/27/2017 10:19 AM, Paul Moore wrote:
>>> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote:
>>>> From: Daniel Jurgens <danielj@mellanox.com>
>>>>
>>>> For controlling IPoIB VLANs
>>>>
>>>> Reported-by: Honggang LI <honli@redhat.com>
>>>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
>>>> Tested-by: Honggang LI <honli@redhat.com>
>>>> ---
>>>> networkmanager.te | 2 ++
>>>> 1 files changed, 2 insertions(+), 0 deletions(-)
>>> [NOTE: resending due to a typo in the refpol mailing list address]
>>>
>>> We obviously need something like this now so we don't break IPoIB, but
>>> I wonder if we should make the IB access controls dynamic like the
>>> per-packet network access controls. We could key off the presence of
>>> the IB pkey and endport definitions: if there are any objects defined
>>> in the loaded policy we enable the controls, otherwise we disable
>>> them.
>>
>> I think I understand what you're saying Paul, but I'm not clear on the mechanism. Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled.
>
> Basically, yes. We could add a new variable/function that gates the
> access control checks in selinux_ib_pkey_access() and
> selinux_ib_endport_manage_subnet(); the checks would be enabled when
> there was Infiniband configuration loaded with the policy. Without
> the IB config loaded, all the checks would end up being just a domain
> check against unlabeled_t, which isn't very interesting, so we would
> just drop the checks.
As long as it also respects policycap always_check_network, it works for me.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys
@ 2017-11-29 1:25 ` Chris PeBenito
0 siblings, 0 replies; 9+ messages in thread
From: Chris PeBenito @ 2017-11-29 1:25 UTC (permalink / raw)
To: refpolicy
On 11/27/2017 05:50 PM, Paul Moore wrote:
> On Mon, Nov 27, 2017 at 3:04 PM, Daniel Jurgens <danielj@mellanox.com> wrote:
>> On 11/27/2017 10:19 AM, Paul Moore wrote:
>>> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens <danielj@mellanox.com> wrote:
>>>> From: Daniel Jurgens <danielj@mellanox.com>
>>>>
>>>> For controlling IPoIB VLANs
>>>>
>>>> Reported-by: Honggang LI <honli@redhat.com>
>>>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
>>>> Tested-by: Honggang LI <honli@redhat.com>
>>>> ---
>>>> networkmanager.te | 2 ++
>>>> 1 files changed, 2 insertions(+), 0 deletions(-)
>>> [NOTE: resending due to a typo in the refpol mailing list address]
>>>
>>> We obviously need something like this now so we don't break IPoIB, but
>>> I wonder if we should make the IB access controls dynamic like the
>>> per-packet network access controls. We could key off the presence of
>>> the IB pkey and endport definitions: if there are any objects defined
>>> in the loaded policy we enable the controls, otherwise we disable
>>> them.
>>
>> I think I understand what you're saying Paul, but I'm not clear on the mechanism. Are you referring to the netlabel/IPSEC enable checks? They are wrapped up in selinux_peerlbl_enabled.
>
> Basically, yes. We could add a new variable/function that gates the
> access control checks in selinux_ib_pkey_access() and
> selinux_ib_endport_manage_subnet(); the checks would be enabled when
> there was Infiniband configuration loaded with the policy. Without
> the IB config loaded, all the checks would end up being just a domain
> check against unlabeled_t, which isn't very interesting, so we would
> just drop the checks.
As long as it also respects policycap always_check_network, it works for me.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2017-11-29 1:49 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <1511791439-15957-1-git-send-email-danielj@mellanox.com>
2017-11-27 16:17 ` [PATCH 1/1] networkmanager: Grant access to unlabeled PKeys Paul Moore
2017-11-27 16:19 ` Paul Moore
2017-11-27 16:19 ` [refpolicy] " Paul Moore
2017-11-27 20:04 ` Daniel Jurgens
2017-11-27 20:04 ` [refpolicy] " Daniel Jurgens
2017-11-27 22:50 ` Paul Moore
2017-11-27 22:50 ` [refpolicy] " Paul Moore
2017-11-29 1:25 ` Chris PeBenito
2017-11-29 1:25 ` [refpolicy] " Chris PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.