Commit Graph

58 Commits

Author SHA1 Message Date
Chris PeBenito d74c9bd6b8 Module version bumps for admin interfaces from Jason Zaman. 2015-07-14 11:18:35 -04:00
Chris PeBenito 468185f5f7 Bump module versions for release. 2014-12-03 13:37:38 -05:00
Chris PeBenito 0735f2ca4a Module version bump for misc fixes from Sven Vermeulen. 2014-12-02 10:29:59 -05:00
Nicolas Iooss 5fb1249f37 Use create_netlink_socket_perms when allowing netlink socket creation
create_netlink_socket_perms is defined as:

    { create_socket_perms nlmsg_read nlmsg_write }

This means that it is redundant to allow create_socket_perms and
nlmsg_read/nlmsg_write.

Clean up things without allowing anything new.
2014-10-23 08:07:44 -04:00
Chris PeBenito d174521a64 Bump module versions for release. 2013-04-24 16:14:52 -04:00
Chris PeBenito be2e70be8d Module version bump for fixes from Dominick Grift. 2013-01-03 10:53:34 -05:00
Dominick Grift 79e1e4efb9 NSCD related changes in various policy modules
Use nscd_use instead of nscd_socket_use. This conditionally allows
nscd_shm_use

Remove the nscd_socket_use from ssh_keygen since it was redundant
already allowed by auth_use_nsswitch

Had to make some ssh_keysign_t rules unconditional else
nscd_use(ssh_keysign_t) would not build (nested booleans) but that does
not matter, the only actual domain transition to ssh_keysign_t is
conditional so the other unconditional ssh_keygen_t rules are
conditional in practice

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-01-03 10:43:10 -05:00
Chris PeBenito e036d3d694 Module version bump for ipsec net sysctls reading from Miroslav Grepl. 2012-10-02 10:15:31 -04:00
Miroslav Grepl 672f146fec Allow ipsec to read kernel sysctl 2012-10-02 10:14:44 -04:00
Chris PeBenito 2b70efd2f6 Module version bump for fc substitutions optimizations from Sven Vermeulen. 2012-08-15 11:00:55 -04:00
Chris PeBenito 3516535aa6 Bump module versions for release. 2012-07-25 14:33:06 -04:00
Chris PeBenito 8e00a439ef Module verion bump for simplify file contexts based on file context path substitutions, from Sven Vermeulen. 2012-05-10 10:36:06 -04:00
Chris PeBenito 7b98e4f436 Clean up stale TODOs. 2011-09-26 11:51:47 -04:00
Chris PeBenito aa4dad379b Module version bump for release. 2011-07-26 08:11:01 -04:00
Chris PeBenito 127d617b31 Pull in some changes from Fedora policy system layer. 2011-04-14 11:36:56 -04:00
Chris PeBenito 4f6f347d4c Module version bump and changelog for hadoop ipsec patch from Paul Nuzzi. 2011-01-13 13:50:47 -05:00
Chris PeBenito 530ad6fc6a Whitespace fixes in corenetwork and ipsec. 2011-01-13 13:37:04 -05:00
Chris PeBenito 371908d1c8 Rename new hadoop ipsec interfaces. 2011-01-13 12:56:12 -05:00
Paul Nuzzi 6237b7241b hadoop: labeled ipsec
On 01/05/2011 08:48 AM, Christopher J. PeBenito wrote:
> On 12/16/10 12:32, Paul Nuzzi wrote:
>> On 12/15/2010 03:54 PM, Christopher J. PeBenito wrote:
>>> On 12/10/10 18:22, Paul Nuzzi wrote:
>>>> Added labeled IPSec support to hadoop.  SELinux will be able to enforce what services are allowed to
>>>> connect to.  Labeled IPSec can enforce the range of services they can receive from.  This enforces
>>>> the architecture of Hadoop without having to modify any of the code.  This adds a level of
>>>> confidentiality, integrity, and authentication provided outside the software stack.
>>>
>>> A few things.
>>>
>>> The verb used in Reference Policy interfaces for peer recv is recvfrom
>>> (a holdover from previous labeled networking implementations).  So the
>>> interfaces are like hadoop_recvfrom_datanode().
>>
>> Easy change.
>>
>>> It seems like setkey should be able to setcontext any type used on ipsec
>>> associations.  I think the best thing would be to add additional support
>>> to either the ipsec or corenetwork modules (I haven't decided which one
>>> yet) for associations.  So, say we have an interface called
>>> ipsec_spd_type() which adds the parameter type to the attribute
>>> ipsec_spd_types.  Then we can have an allow setkey_t
>>> ipsec_spd_types:association setkey; rule and we don't have to update it
>>> every time more labeled network is added.
>>
>> That seems a lot less clunky than updating setkey every time we add a new association.
>>
>>> This is definitely wrong since its not a file:
>>> +files_type(hadoop_lan_t)
>>
>> Let me know how you would like to handle associations and I could update the
>> patch.
>
> Lets go with putting the associations in corenetwork.
>
>>  Will the files_type error be cleared up when we re-engineer this?
>
> I'm not sure what you mean.  The incorrect rule was added in your patch.
>

Adds labeled IPSec policy to hadoop to control the remote processes that are allowed to connect to the cloud's services.

Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
2011-01-13 08:22:32 -05:00
Chris PeBenito 48f99a81c0 Whitespace change: drop unnecessary blank line at the start of .te files. 2010-06-10 08:16:35 -04:00
Chris PeBenito 29af4c13e7 Bump module versions for release. 2010-05-24 15:32:01 -04:00
Chris PeBenito 90e65feca5 Ipsec patch from Dan Walsh. 2010-03-17 13:52:07 -04:00
Chris PeBenito c3c753f786 Remove concept of user from terminal module interfaces dealing with ptynode and ttynode since these attributes are not specific to users. 2010-02-11 14:20:10 -05:00
Chris PeBenito 832c1be4ca IPSEC patch from Dan Walsh. 2009-11-24 14:09:10 -05:00
Chris PeBenito 9570b28801 module version number bump for release 2.20090730 that was mistakenly omitted. 2009-08-05 10:59:21 -04:00
Chris PeBenito e6985f91ab fix ordering of interface calls in iptables. 2009-08-05 10:04:13 -04:00
Chris PeBenito 3f67f722bb trunk: whitespace fixes 2009-06-26 14:40:13 +00:00
Chris PeBenito 26410ddf54 trunk: remove unnecessary semicolons after interface/template calls. 2009-06-19 13:52:33 +00:00
Chris PeBenito 09125ae411 trunk: module version bump for previous commit. 2009-04-03 14:15:53 +00:00
Chris PeBenito d6605bc48b trunk: 3 patches from dan. 2009-04-03 14:14:43 +00:00
Chris PeBenito 17ec8c1f84 trunk: bump module versions for release. 2008-12-10 19:38:10 +00:00
Chris PeBenito 296273a719 trunk: merge UBAC. 2008-11-05 16:10:46 +00:00
Chris PeBenito 2cca6b79b4 trunk: remove redundant shared lib calls. 2008-10-17 17:31:04 +00:00
Chris PeBenito 0b36a2146e trunk: Enable open permission checks policy capability. 2008-10-16 16:09:20 +00:00
Chris PeBenito 5d4f4b5375 trunk: bump version numbers for release. 2008-10-14 15:46:36 +00:00
Chris PeBenito e0ed765c0e trunk: 3 patches from the fedora policy, cherry picked by David Hardeman. 2008-08-11 14:03:36 +00:00
Chris PeBenito cfcf5004e5 trunk: bump versions for release. 2008-07-02 14:07:57 +00:00
Chris PeBenito e9c6cda7da trunk: Move user roles into individual modules. 2008-04-29 13:58:34 +00:00
Chris PeBenito 0a14f3ae09 trunk: bump module version numbers for release. 2008-04-02 16:04:43 +00:00
Chris PeBenito ee6608baeb trunk: 8 patches from dan. 2008-02-18 18:44:40 +00:00
Chris PeBenito f7925f25f7 trunk: bump module versions for release. 2007-12-14 14:23:18 +00:00
Chris PeBenito 02d968c581 trunk: several fc updates from dan. 2007-12-12 15:55:21 +00:00
Chris PeBenito 0aa18d9fd5 trunk: version bumps for previous commit. 2007-11-26 16:46:38 +00:00
Chris PeBenito 9820351703 trunk: add in polmatch for default spd. 2007-11-14 15:53:18 +00:00
Chris PeBenito bdccbacdd6 trunk: add labeled networking support to unconfined. 2007-11-14 14:38:45 +00:00
Chris PeBenito cdf98fedc0 trunk: 10 patches from dan. 2007-10-11 18:12:29 +00:00
Chris PeBenito 12e9ea1ae3 trunk: module version bumps for previous commit. 2007-10-02 17:15:07 +00:00
Chris PeBenito 350b6ab767 trunk: merge strict and targeted policies. merge shlib_t into lib_t. 2007-10-02 16:04:50 +00:00
Chris PeBenito 116c1da330 trunk: update module version numbers for release. 2007-06-29 14:48:13 +00:00
Chris PeBenito 1900668638 trunk: Unified labeled networking policy from Paul Moore.
The latest revision of the labeled policy patches which enable both labeled 
and unlabeled policy support for NetLabel.  This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access.  The older, transport layer specific interfaces, are still  
present for use by third-party modules but are not used in the default policy
modules.

trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.

This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
2007-06-27 15:23:21 +00:00