Re: SELinux: Interface Labeling Problem

Re: SELinux: Interface Labeling Problem

[Maurizio Pagani]

[-- Attachment #1: Type: text/plain, Size: 5298 bytes --]

ok, imattached also the community on this thread.

Please someone can help me?

Thanksa

Il giovedì 11 giugno 2015, Paul Moore <paul@paul-moore.com> ha scritto:

> On Thu, Jun 11, 2015 at 4:22 PM, Maurizio Pagani <pag.maurizio@gmail.com
> <javascript:;>> wrote:
> > Any idea??? Please is important.
>
> As Stephen already mentioned, please repost your question to the
> mailing list so that others can benefit.
>
> > Il giovedì 11 giugno 2015, Gmail <pag.maurizio@gmail.com <javascript:;>>
> ha scritto:
> >>
> >> Hi Stephen,
> >>
> >> ok, but with peer labeling i saw that is not possible block a specific
> >> domain to use an interface labeled with netif_hostonly_t, right? If
> not, how
> >> can i block a specific domain, to use my network interface?
> >>
> >> However the next questions, i'll write to distribution list
> >>
> >> Thanks in advance,
> >>
> >>
> >>
> >>
> >>                      Maurizio Pagani
> >>             Systems and Security Specialist
> >>
> >>
> >>                    Kay Systems Italia
> >>                           www.ksi.it
> >>              Viale Libano , 80 - 00144 Roma
> >>                  fax:  +39 06  542799-60
> >>                  mobile:  +39 335 1382689
> >>              e-mail: maurizio.pagani@ksi.it <javascript:;>
> >>
> >> -----Messaggio originale-----
> >> Da: Stephen Smalley [mailto:sds@tycho.nsa.gov <javascript:;>]
> >> Inviato: giovedì 11 giugno 2015 14:49
> >> A: Gmail; paul@paul-moore.com <javascript:;>; james.l.morris@oracle.com
> <javascript:;>; 'Daniel J
> >> Walsh'; 'Dominick Grift'; 'Sven Vermeulen'; eparis@parisplace.org
> <javascript:;>
> >> Oggetto: Re: SELinux: Interface Labeling Problem
> >>
> >> Is there a reason you didn't post this to selinux list
> >> (selinux@tycho.nsa.gov <javascript:;>, subscribe via
> selinux-join@tycho.nsa.gov <javascript:;>)?
> >> We prefer questions to go to the list so that they are archived for
> others
> >> and anyone in the community can respond to them.
> >>
> >> In any event, SELinux network permission checks have changed over time.
> >> The netif { tcp_recv tcp_send udp_recv udp_send } checks were legacy
> >> network checks that were removed in Linux 2.6.30.  netif { ingress
> egress }
> >> are newer checks that are only enabled if you have configured peer
> labeling
> >> via NetLabel or labeled IPSEC/xfrm.
> >>
> >> On 06/11/2015 06:27 AM, Gmail wrote:
> >> > Hi everybody
> >> >
> >> >
> >> >
> >> > I’m Maurizio Pagani (LordFire in #SELinux IRC freenode).
> >> >
> >> > I write to you, because i’m implementing a SELinux solution with
> >> > particular attention about Network Labeling.
> >> >
> >> > I’m doing this trough some blog(Paul Moore in particular, Walsh and
> >> > other) and books (Sven Vermeulen), but now i’m blocked in a little
> >> > problem that cannot permit me to go on.
> >> >
> >> >
> >> >
> >> > The subject is : *“Interface Labeling”.*
> >> >
> >> >
> >> >
> >> > In few words i created a very simple policy called
> >> > *“netif_hostonly_t”* the .te is this:
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > policy_module(netif_hostonly, 1.0.0)
> >> >
> >> >
> >> >
> >> > require {
> >> >
> >> >         type unconfined_t;
> >> >
> >> >         class netif { tcp_recv tcp_send udp_recv udp_send ingress
> >> > egress } ;
> >> >
> >> > }
> >> >
> >> >
> >> >
> >> > #I declare my type
> >> >
> >> > type netif_hostonly_t;
> >> >
> >> >
> >> >
> >> > allow unconfined_t netif_hostonly_t : netif { tcp_recv tcp_send
> >> > udp_recv udp_send ingress egress } ;
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > *Next Step:*
> >> >
> >> >
> >> >
> >> > semanage interface -a -t netif_hostonly_t eno50332208
> >> >
> >> >
> >> >
> >> > I checked that is labeled correctly
> >> >
> >> >
> >> >
> >> > But i don’t see any avc denied messages, this is the problem, i though
> >> > that as always, SELinux block everything and after trough RAW SELinux
> >> > language (allow/dontaudit/auditallow/neverallow), we can open specific
> >> > communications, but instead i don’t see anything.
> >> >
> >> > I’m wron something? It is not very clear on the web, or in the other
> >> > blogs / books, because maybe i need of a SECMARK rule? But is not
> >> > specific as a requirement, because also “port labeling” is used
> >> > without set SECMARK rule.
> >> >
> >> >
> >> >
> >> > Please i’m blocked with my customer project, for this (i think) stupid
> >> > problem, maybe you know surely the solution, and can share with me.
> >> >
> >> >
> >> >
> >> > Thanks in advace,
> >> >
> >> >
> >> >
> >> > Maurizio Pagani
> >> >
> >> >
> >> >
> >> >
> ------------------------------------------------------------------------
> >> > Avast logo <https://www.avast.com/antivirus>
> >> >
> >> > Questa e-mail è stata controllata per individuare virus con Avast
> >> > antivirus.
> >> > www.avast.com <https://www.avast.com/antivirus>
> >> >
> >> >
> >>
> >>
> >>
> >> ---
> >> Questa e-mail è stata controllata per individuare virus con Avast
> >> antivirus.
> >> https://www.avast.com/antivirus
> >>
> >
>
>
>
> --
> paul moore
> www.paul-moore.com
>

[-- Attachment #2: Type: text/html, Size: 8268 bytes --]

Re: SELinux: Interface Labeling Problem

[Sven Vermeulen]

On Thu, Jun 11, 2015 at 10:47 PM, Maurizio Pagani
<pag.maurizio@gmail.com> wrote:
> ok, imattached also the community on this thread.
>> >> -----Messaggio originale-----
>> >> Da: Stephen Smalley [mailto:sds@tycho.nsa.gov]
[...]
>> >> In any event, SELinux network permission checks have changed over time.
>> >> The netif { tcp_recv tcp_send udp_recv udp_send } checks were legacy
>> >> network checks that were removed in Linux 2.6.30.  netif { ingress
>> >> egress }
>> >> are newer checks that are only enabled if you have configured peer
>> >> labeling
>> >> via NetLabel or labeled IPSEC/xfrm.

As Stephen already mentioned, recent Linux kernels only listen to the
egress/ingress permissions in the netif class. The other permissions
might still be marked as "existing" for backwards compatibility, but
they are not enforced anymore. See
http://lists.openwall.net/netdev/2009/03/27/144

To enable the egress/ingress support however, you need to use either
Labeled IPSec or NetLabel/CIPSO support.

If you want to use SECMARK, then the controls are not on the netif
class, but on the packet classes.

Wkr,
  Sven Vermeulen

R: R: SELinux: Interface Labeling Problem

[Gmail]

[-- Attachment #1.1: Type: text/plain, Size: 4944 bytes --]

Hi,



In this mail, i'll describe with wich steps i resolved my problem with Network Interface Labeling.



-          Problem: We need to block a specific domain (application, users or other) to use a specific network interface.

-          Question: How can i do? With NetLabel? SECMARK? I need to develop a new policy? Is there a refpolicy like a template? Is not possible?



After some read on many blogs/books/SELinux site, i did a merge of these informations, and i found a solution for my problem.



-          Environment Example: we have an environment where there are two network interface, the first for public network, the second for internal network. And we don’t want a user called “myuser” (sysadm_r) after login from public interface, can jump trough internal network interface.

-          Solution step-by-step:

1.       We need to create two new types, the first for internal interface, and another for packet_internal_interface.

*  My policy is this:

policy_module(telecom,1.0)



#I declare my types

type telecom_netif_mgmt_t;    #type for internal network interface

type telecom_netif_mgmt_packet_t; #type for packet of internal network interface

2.       After compile and install this policy, you have a new two types that you can check with seinfo –t |grep <yourtype>

3.       Install this package (for redhat/centos/fedora):

*   yum –y install netlabel_tools   #is needed for manage Network Labeling

4.       Now you need to label your network internal interface with semanage command:

*  semanage interface -a -t telecom_netif_mgmt_t eth0 #with this we label the interface

*  semanage interface –l #with this we check it

*    we should see something like this

5.       Is moment to link this with Network Labeling trough netlabelctl command:

*  netlabelctl unlbl add interface:eth0 address:10.23.130.131 label:system_u:object_r:telecom_netif_mgmt_packet_t:s0  #we are setting all unlabeled packets flow for eth0 are labeled with telecom_netif_mgmt_packet_t

*         N.B.: address: 10.23.130.131 must be the static ip address of internal network interface

*  netlabelctl unlbl list #for check

*         you should must see this output: accept:on interface:eth0,address:10.23.130.131/32,label:"system_u:object_r:telecom_netif_mgmt_packet_t:s0"

6.       Now we must to allow domains that we need can use this interface like unconfined_t (default root user)

*  We need to modify our simple policy below with this delta:

policy_module(telecom,1.0)



#I declare my types

type telecom_netif_mgmt_t;    #type for internal network interface

type telecom_netif_mgmt_packet_t; #type for packet of internal network interface



        allow unconfined_t telecom_netif_mgmt_t : netif { tcp_recv tcp_send udp_recv udp_send ingress egress } ; #This allow unconfined_t (root user for example) to use internal network interface (egress, so the OUT traffic) – for comodity i allow all permissions

allow unlabeled_t telecom_netif_mgmt_t : netif { tcp_recv tcp_send udp_recv udp_send ingress egress};    # This allow  unlabeled_t (all response from – to) to pass troughe  internal network interface (ingress, so the IN traffic) – for comodity i allow all permissions

7.       So, now unconfined_t is allowed, but myuser_t (our myuser user)is not allowed, so we need only to try and see what happen:

*  While i launch a ping trough myuser (root restricted shell):

*

*         We see also audit.log:

*

*         We can see that our specific domaind (telecom_sysadm_t) can’t use and jump in the internal network interface (eth0)



Problem SOLVED!



I hope that this mini guide, can help someone.

If there are any improvement, that someone can give me, i’m here ready to improve.



Sorry in advance, if this guide is not write with an optimal english.



Thanks,



Maurizio Pagani (LordFire in #SELinux)







-----Messaggio originale-----
Da: Paul Moore [mailto:paul@paul-moore.com]
Inviato: venerdì 12 giugno 2015 22:48
A: Maurizio Pagani
Cc: Stephen Smalley; James Morris; Daniel J Walsh; Dominick Grift; Sven Vermeulen; Eric Paris
Oggetto: Re: R: SELinux: Interface Labeling Problem



On Fri, Jun 12, 2015 at 4:34 PM, Maurizio Pagani < <mailto:pag.maurizio@gmail.com> pag.maurizio@gmail.com> wrote:

> Sure!!! That help!! However i solved yet my problem, but i though

> "maybe i should must write a small guide/solution to list for share my problem."

>

> Right?



I'm glad to hear that you've resolved your problem, and I think a short description of your problem as well as how you solved it would be very welcome on the list.



--

paul moore

 <http://www.paul-moore.com> www.paul-moore.com



---
Questa e-mail è stata controllata per individuare virus con Avast antivirus.
https://www.avast.com/antivirus

[-- Attachment #1.2: Type: text/html, Size: 19933 bytes --]

[-- Attachment #2: image001.png --]
[-- Type: image/png, Size: 4040 bytes --]

[-- Attachment #3: image002.png --]
[-- Type: image/png, Size: 6880 bytes --]

[-- Attachment #4: image003.png --]
[-- Type: image/png, Size: 12958 bytes --]