From: Mike Palmiotto <mike.palmiotto@crunchydata.com>
To: Paul Tagliamonte <paultag@debian.org>
Cc: selinux@vger.kernel.org
Subject: Re: Configuring MLS with a daemon operating at multiple sensitivities
Date: Thu, 14 May 2020 09:55:50 -0400 [thread overview]
Message-ID: <CAMN686H5K6Ohzd297giboVoD=Jud+k9tRvvCtJJZ8jvNmv_=HA@mail.gmail.com> (raw)
In-Reply-To: <CAO6P2QQRFBmUdjpz0GudUxyACjveCWg0yyGzz_6_5YnUQ4fLBQ@mail.gmail.com>
On Thu, May 14, 2020 at 8:45 AM Paul Tagliamonte <paultag@debian.org> wrote:
>
> Hey SELinux fans,
>
> I've been playing with MLS on a test box. The "read down/write up"
> model makes total sense, but i'm running up against an odd problem set
> and trying to figure out how to best work this into an SELinux policy
> / configuration.
>
> I'm interested in having a demon that operates at multiple sensitivity
> levels depending on the security context of the peer network
> connection (within the same process, ideally, otherwise maybe
> threads?).
>
> I'm able to use NetLabel and CIPSO to mark packets with the desired
> sensitivity level, and I'm able to get that level via `getpeercon`
> during a network connection, but that connection's context hasn't been
> dominated by my process's. I'd like to either get that "combined"
> context (for instance, if my daemon is s0-s3:c1.c3 and the peer
> connection is s2-s15:c3, I'd like to see the value `s2.c3`), or to
> actually assume that role (to prevent reading/writing where it's not
> supposed to).
Joshua Brindle recently contributed a change that may get you what you want:
https://github.com/SELinuxProject/selinux/commit/9ba35fe8c280b7c91ec65b138d9f13e44ededaa9
Here is the corresponding kernel change:
https://github.com/torvalds/linux/commit/42345b68c2e3e2b6549fc34b937ff44240dfc3b6
The kernel change is in 5.5+ it seems, so you'll probably want to use
libsepol in your application.
Hope this helps.
--
Mike Palmiotto
https://crunchydata.com
next prev parent reply other threads:[~2020-05-14 13:56 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-14 12:45 Configuring MLS with a daemon operating at multiple sensitivities Paul Tagliamonte
2020-05-14 13:55 ` Mike Palmiotto [this message]
2020-05-14 14:00 ` Paul Tagliamonte
2020-05-14 14:50 ` Stephen Smalley
2020-05-14 14:57 ` Paul Tagliamonte
2020-05-14 15:29 ` Stephen Smalley
2020-05-15 0:33 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMN686H5K6Ohzd297giboVoD=Jud+k9tRvvCtJJZ8jvNmv_=HA@mail.gmail.com' \
--to=mike.palmiotto@crunchydata.com \
--cc=paultag@debian.org \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.