Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices

[RFC PATCH v2 0/3] Fix some multiqueue TUN problems · Paul Moore <hidden> · 2012-12-05
[RFC PATCH v2 1/3] tun: correctly report an error in tun_flow_init() · Paul Moore <hidden> · 2012-12-05
Re: [RFC PATCH v2 1/3] tun: correctly report an error in tun_flow_init() · Jason Wang <jasowang@redhat.com> · 2012-12-06
Re: [RFC PATCH v2 1/3] tun: correctly report an error in tun_flow_init() · Paul Moore <hidden> · 2012-12-06
[RFC PATCH v2 2/3] selinux: add the "create_queue" permission to the "tun_socket" class · Paul Moore <hidden> · 2012-12-05
[RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · Paul Moore <hidden> · 2012-12-05
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · Jason Wang <jasowang@redhat.com> · 2012-12-06
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · Paul Moore <hidden> · 2012-12-06
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · Jason Wang <jasowang@redhat.com> · 2012-12-07
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · "Michael S. Tsirkin" <mst@redhat.com> · 2012-12-06
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · Jason Wang <jasowang@redhat.com> · 2012-12-06
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · "Michael S. Tsirkin" <mst@redhat.com> · 2012-12-06
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · Paul Moore <hidden> · 2012-12-06
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · "Michael S. Tsirkin" <mst@redhat.com> · 2012-12-06
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · Paul Moore <hidden> · 2012-12-06
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · "Michael S. Tsirkin" <mst@redhat.com> · 2012-12-06
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · Paul Moore <hidden> · 2012-12-06
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · "Michael S. Tsirkin" <mst@redhat.com> · 2012-12-07
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · Paul Moore <hidden> · 2012-12-10
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · "Michael S. Tsirkin" <mst@redhat.com> · 2012-12-10
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · Paul Moore <hidden> · 2012-12-10
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · "Michael S. Tsirkin" <mst@redhat.com> · 2012-12-10
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · Eric Paris <hidden> · 2012-12-10
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · Paul Moore <hidden> · 2012-12-10
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · Paul Moore <hidden> · 2012-12-10
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · Jason Wang <jasowang@redhat.com> · 2012-12-11
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · "Michael S. Tsirkin" <mst@redhat.com> · 2012-12-12
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · Jason Wang <jasowang@redhat.com> · 2012-12-07
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · "Michael S. Tsirkin" <mst@redhat.com> · 2012-12-12
Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices · Paul Moore <hidden> · 2012-12-12

From: Paul Moore <hidden>
Date: 2012-12-10 22:21:44
Also in: selinux

On Monday, December 10, 2012 01:42:12 PM Eric Paris wrote:

Let me abstract a little here Paul.  Lets say user A starts an
unclassified process and a top secret process.  SELinux policy darn
well better be able to enforce that they can not attach to the same
tun.

Am I missing something here?

Relax, all the SELinux enforced separation still exists, and works.  We're 
just fixing the LSM/SELinux stuff that was broken with the multiqueue addition 
and adding a new SELinux permission to control access to the new queue 
command.

What we are currently discussing is DAC only.  While Michael have different 
opinions on how to solve the DAC issues, we agree that SELinux works 
correctly.

-- 
paul moore
security and virtualization @ redhat

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help