SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] From: Kodungallur Varma <ramgwu_at_gmail.com> subject: attributes on the other end of a network connection Date: Tue, 19 Apr 2005 22:09:52 -0400 This message: [ Message body ] Next message: James Morris: "Re: attributes on the other end of a network connection" Previous message: Jason: "Re: Problems with SElinux and MySQL accessing file on /tmp" In reply to: Stephen Smalley: "Re: problems using setcon()" Next in thread: James Morris: "Re: attributes on the other end of a network connection" Reply: James Morris: "Re: attributes on the other end of a network connection" Reply: Stephen Smalley: "Re: attributes on the other end of a network connection" Hi all, I have a basic client and a server program. my server has the capability to setcon() to a new domain, the client domain precisely. my server needs to find the domain and user name of the client user(my client tries to get a tcp connection first). I heard there is a function which gives the context and attributes of the other end, given the attributes got at the servers end and vice-versa. I dont know where exactly to look for that function capability, but I am starting in the libselinux library. for security reasons, my client also needs to be able to execute this function to get the attributes of the server, just to know that it is connecting to the right server. if anyone knows about any such function, please pass on to me. thanx a lot.. Ram On 3/30/05, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Tue, 2005-03-29 at 22:41 -0500, Kodungallur Varma wrote: > > thanx a lot..the program worked. however I need to change the policy > > file(.te) often and so I need to make load it. I am unable to do that > > at the moment due to the problem that I updated the following without > > updating my policy: > > > > checkpolicy-1.22 > > libsepol-1.4 > > policycoreutils-1.22 > > > > how do I uninstall them?? > > You can grab the older checkpolicy, libsepol, and policycoreutils > packages from FC3 and re-install them with rpm -Uvh --oldpackage. > > > also I tried the alternative to update my > > policy by doing: > > "yum install selinux-policy-strict-sources" and "yum install > > selinux-policy-targeted-sources". the targeted version was updated, > > but strict had "nothing to do". seems like it is up to date. > > You would need to update to the rawhide (FC4 development) policy; FC3 > policy doesn't include these changes. > > -- > Stephen Smalley <sds@tycho.nsa.gov> > National Security Agency > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From: James Morris <jmorris_at_redhat.com> subject: Re: attributes on the other end of a network connection Date: Tue, 19 Apr 2005 23:44:47 -0400 (EDT) This message: [ Message body ] Next message: Russell Coker: "linux.conf.au" Previous message: Kodungallur Varma: "attributes on the other end of a network connection" In reply to: Kodungallur Varma: "attributes on the other end of a network connection" Next in thread: Stephen Smalley: "Re: attributes on the other end of a network connection" On Tue, 19 Apr 2005, Kodungallur Varma wrote: > Hi all, > > I have a basic client and a server program. my server has the > capability to setcon() to a new domain, the client domain precisely. > my server needs to find the domain and user name of the client user(my > client tries to get a tcp connection first). I heard there is a > function which gives the context and attributes of the other end, > given the attributes got at the servers end and vice-versa. The function you're looking for is getpeercon(3), which only currently works on Unix sockets. James -- James Morris <jmorris@redhat.com> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From: Stephen Smalley <sds_at_tycho.nsa.gov> subject: Re: attributes on the other end of a network connection Date: Wed, 20 Apr 2005 08:19:36 -0400 This message: [ Message body ] Next message: Paul Moore: "Re: selinux-policy-mls is now available for your testing pleasure." Previous message: Stephen Smalley: "Re: selinux-policy-mls is now available for your testing pleasure." In reply to: Kodungallur Varma: "attributes on the other end of a network connection" Next in thread: Kodungallur Varma: "Re: attributes on the other end of a network connection" Reply: Kodungallur Varma: "Re: attributes on the other end of a network connection" On Tue, 2005-04-19 at 22:09 -0400, Kodungallur Varma wrote: > Hi all, > > I have a basic client and a server program. my server has the > capability to setcon() to a new domain, the client domain precisely. > my server needs to find the domain and user name of the client user(my > client tries to get a tcp connection first). I heard there is a > function which gives the context and attributes of the other end, > given the attributes got at the servers end and vice-versa. I dont > know where exactly to look for that function capability, but I am > starting in the libselinux library. for security reasons, my client > also needs to be able to execute this function to get the attributes > of the server, just to know that it is connecting to the right server. > if anyone knows about any such function, please pass on to me. thanx a lot.. That requires some form of labeled networking support, which doesn't exist in the mainline SELinux presently. Older SELinux had an experimental labeled networking implementation (Selopt) by James Morris based on CIPSO/FIPS188 options, but the necessary security hooks and fields weren't accepted into mainline Linux. Trent Jaeger of IBM has implemented implicit packet labeling based on IPSEC SA, and I believe that there is work ongoing to provide such an interface using that support, but that hasn't been merged yet. getpeercon(3) is the existing interface, but only works for Unix domain stream sockets presently, as James noted. -- Stephen Smalley <sds@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From: Kodungallur Varma <ramgwu_at_gmail.com> subject: Re: attributes on the other end of a network connection Date: Wed, 4 May 2005 11:30:54 -0400 This message: [ Message body ] Next message: Russell Coker: "policy for games" Previous message: Russell Coker: "restorecon policy" In reply to: Stephen Smalley: "Re: attributes on the other end of a network connection" Next in thread: Stephen Smalley: "Re: attributes on the other end of a network connection" Reply: Stephen Smalley: "Re: attributes on the other end of a network connection" Hi Stephen and all, is there any way to determine if a particular operation is permitted given a security identifier (security_context_t)? basically I want a function or a way to determine if any process/user in the domain returned by the getpeercon() is allowed to do an operation, say socket connect for example. thanx.. Ram On 4/20/05, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Tue, 2005-04-19 at 22:09 -0400, Kodungallur Varma wrote: > > Hi all, > > > > I have a basic client and a server program. my server has the > > capability to setcon() to a new domain, the client domain precisely. > > my server needs to find the domain and user name of the client user(my > > client tries to get a tcp connection first). I heard there is a > > function which gives the context and attributes of the other end, > > given the attributes got at the servers end and vice-versa. I dont > > know where exactly to look for that function capability, but I am > > starting in the libselinux library. for security reasons, my client > > also needs to be able to execute this function to get the attributes > > of the server, just to know that it is connecting to the right server. > > if anyone knows about any such function, please pass on to me. thanx a lot.. > > That requires some form of labeled networking support, which doesn't > exist in the mainline SELinux presently. Older SELinux had an > experimental labeled networking implementation (Selopt) by James Morris > based on CIPSO/FIPS188 options, but the necessary security hooks and > fields weren't accepted into mainline Linux. Trent Jaeger of IBM has > implemented implicit packet labeling based on IPSEC SA, and I believe > that there is work ongoing to provide such an interface using that > support, but that hasn't been merged yet. getpeercon(3) is the existing > interface, but only works for Unix domain stream sockets presently, as > James noted. > > -- > Stephen Smalley <sds@tycho.nsa.gov> > National Security Agency > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From: Stephen Smalley <sds_at_tycho.nsa.gov> subject: Re: attributes on the other end of a network connection Date: Thu, 05 May 2005 07:28:12 -0400 This message: [ Message body ] Next message: Daniel J Walsh: "[Fwd: Latest Diff]" Previous message: Russell Coker: "policy for games" In reply to: Kodungallur Varma: "Re: attributes on the other end of a network connection" On Wed, 2005-05-04 at 11:30 -0400, Kodungallur Varma wrote: > Hi Stephen and all, > > is there any way to determine if a particular operation is > permitted given a security identifier (security_context_t)? basically > I want a function or a way to determine if any process/user in the > domain returned by the getpeercon() is allowed to do an operation, say > socket connect for example. Yes. There are two interfaces for doing this: 1) avc_has_perm(3). This performs permission checks based on SIDs (obtained via avc_context_to_sid(3)) and caches the results for subsequent permission checks. You need to invoke avc_init(3) to perform initial setup. These functions are part of the interface to the userspace AVC (access vector cache), which is the userspace equivalent to the kernel AVC used by the SELinux module for its permission checking. The userspace AVC is discussed in the selinux-doc/uavc report. See dbus for an example of using this interface. 2) security_compute_av(3). This is the lower level interface for computing an access vector (set of permissions) based on contexts, without any caching of decisions. It requires no setup to use, and may be simpler if you don't need caching of the decisions for performance. Internally, avc_has_perm(3) ends up calling this interface if the decision is not already in the cache. Example callers include: - libselinux/src/checkAccess.c - libselinux/utils/compute_av.c - SELinux patch for cron -- Stephen Smalley <sds@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom