Bug 530809 - remove of temporary hack in kernel_sendrecv_unlabeled_association
Summary: remove of temporary hack in kernel_sendrecv_unlabeled_association
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.4
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-10-25 11:25 UTC by Stefan Schulze Frielinghaus
Modified: 2012-10-15 14:30 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-30 07:50:33 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2010:0182 0 normal SHIPPED_LIVE selinux-policy bug fix update 2010-03-29 12:19:53 UTC

Description Stefan Schulze Frielinghaus 2009-10-25 11:25:33 UTC
Description of problem:
In refpolicy the interface kernel_sendrecv_unlabeled_association contains a rule which allows sending/receiving of unlabeled packages:

# temporary hack until labeling on packets is supported
allow $1 unlabeled_t:packet { send recv };

This is removed in selinux-policy. Can we enable this again? Because some of my apps need this rule. I already asked on mailinglist but didn't get a response http://article.gmane.org/gmane.linux.redhat.fedora.selinux/11120

Is there any reason why the temporary hack is not acceptable?

Version-Release number of selected component (if applicable):
Tested with selinux-policy-2.4.6-203.el5 and selinux-policy-2.4.6-255.el5

Comment 1 Daniel Walsh 2009-10-26 13:24:29 UTC
The kernel_sendrecv_unlabeled_packets interface still exists.

The corenet_non_ipsec_sendrecv interface calls it.


249 interfaces in RHEL5.4 policy call this.

So I do not know what problem you are seeing.

Comment 2 Stefan Schulze Frielinghaus 2009-10-26 14:38:12 UTC
Yes, the interface is still available but patch file "policy-20061106.patch" of selinux-policy-2.4.6-255.el5.src.rpm on line 8832 remove the following rule:

allow $1 unlabeled_t:packet { send recv };

If we do not have a fix for the temporary problem, then I guess we should include the allow rule. Unless it has some security concerns. refpolicy e.g. ships the rule which makes it hard to create policy files which work for both rhel/fedora and refpolicy.

policy-20061106.patch:
@@ -2165,9 +2208,6 @@
 	')
 
 	allow $1 unlabeled_t:association { sendto recvfrom };
-
-	# temporary hack until labeling on packets is supported
-	allow $1 unlabeled_t:packet { send recv };
 ')

Comment 3 Daniel Walsh 2009-10-26 15:24:03 UTC
I don't remember a reason for removing it, and since it is in upstream I guess we should add it back.

Miroslav can you add it.

Comment 5 Miroslav Grepl 2009-11-06 14:34:13 UTC
Fixed in selinux-policy-2.4.6-264.el5

Comment 9 errata-xmlrpc 2010-03-30 07:50:33 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html


Note You need to log in before you can comment on or make changes to this bug.