Casey Schaufler wrote:Casey Schaufler wrote:If you really want to be abusive you could replace the smack_access()
function in security/smack/smack_access.c (of all places) with a no-op
returning 0 in all cases.
I thought of that too. :)
But i would rather like to use the thing in it's intended function sometime in the future.
Speaking of the devil...What I then to is write iptables OUTPUT chain matches which match for any of these labels and set some connection marks and firewall marks.
Which I then can use in routing rules to give different routing rules to specific processes. (Like all proxy traffic over a second DSL line)
I know, it's totally crazy. But it seems to work. :)
I just hope the security part of this all will not break anything. But it does not look like it would right now.
Smack will eventually bite you if you're not careful, but users of
MAC systems wouldn't be surprised by that.
This is exactly what happened to me right now. I have problems with _some_ https connects. The problem lies somewhere in openssl.
I did not yet find any clue with strace.
Is there some straight forward way to audit/debug LSM interventions?
I have probably missed something that a labeled process could not do as a '_' process could. Have no idea right now, but it is probably something stupidly simple.
I don't think it's crazy,I like that attitude. :)
I think it's a matter of using what's available in novel ways.