connection between different labels

connection between different labels

[vlad halilov]

[-- Attachment #1: Type: text/plain, Size: 1476 bytes --]

Hi again. Is selinux contain something functional like 'multilevel port'
from solaris trusted extension? Concept of mlp is declaring number of
programm to be 'label aware'. Program of this type, allowed to handling
network request for specified service from all labels and handling/generate
trafic for any labels in clearance. So, OS just delegate information
control to this programm. As my mind, something like this is possible for
selinux contexts (we can allow traffic between different domains by policy,
and selinux context transfered by 'secret' local processing ;) but may be
something like this implemented for information labels s0,s1 etc?

For example:

type=AVC msg=audit(1368735963.286:1998): avc:  denied  { recv } for
 pid=4773 comm="python-thinlinc" saddr=127.0.0.1 src=46092 daddr=127.0.0.1
dest=9000 netif=lo scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:netlabel_peer_t:s4 tclass=peer


My userspace program need to send status message to master process that
executed with clearance s0-s15:c0.c1023  but denied with request. Hmmm..
But clearance of master process is enough to work with this information?
>From some tests, i got result that 'real' leabel for master process is s0.
And all processes executed with label range handling connection only with
lowest label from range. Ok,  thats strong design and i agree. I can switch
label for reporter process to s0 and send message, of course ... but may be
any trick exist?

[-- Attachment #2: Type: text/html, Size: 1708 bytes --]

Re: connection between different labels

[Paul Moore]

On Friday, May 17, 2013 12:58:27 AM vlad halilov wrote:
> Hi again.

Hello again.

> Is selinux contain something functional like 'multilevel port'
> from solaris trusted extension? Concept of mlp is declaring number of
> programm to be 'label aware'. Program of this type, allowed to handling
> network request for specified service from all labels and handling/generate
> trafic for any labels in clearance. So, OS just delegate information
> control to this programm.

Yes, SELinux is capable of doing similar things.  However, I will caution you 
that SELinux does not support network port polyinstantiation in the same way 
as TSOL or Solaris TX; we have some workarounds that sorta do similar things 
but it isn't the same.

> As my mind, something like this is possible for selinux contexts (we can
> allow traffic between different domains by policy, and selinux context
> transfered by 'secret' local processing ;) but may be something like this
> implemented for information labels s0,s1 etc?
> 
> For example:
> 
> type=AVC msg=audit(1368735963.286:1998): avc:  denied  { recv } for 
> pid=4773 comm="python-thinlinc" saddr=127.0.0.1 src=46092 daddr=127.0.0.1
> dest=9000 netif=lo scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:netlabel_peer_t:s4 tclass=peer
> 
> My userspace program need to send status message to master process that
> executed with clearance s0-s15:c0.c1023  but denied with request. Hmmm..
> But clearance of master process is enough to work with this information?
> From some tests, i got result that 'real' leabel for master process is s0.
> And all processes executed with label range handling connection only with
> lowest label from range.

There are basically two parts to communicating over a network with a security 
label above your effective security label and below your cleared security 
label: initiating a new connection and sending data (e.g. creating a socket 
with the appropriate label) and accepting a new connection and receiving data 
(e.g. allowing a socket to receive data above it's effective security label 
but still below it's cleared label).

The first part, creating a socket with a different security label, can be done 
with the setsockcreatecon() function which is part of the libselinux API.  If 
successful, this function tells the kernel to label all future sockets with 
the label provided by the function.  This allows you to create sockets with a 
"s1" security label when the process is running as "s0-s15", and traffic sent 
from these "s1" labeled sockets will be labeled as "s1" and NOT as "s0".  See 
the manpage for more information.

The second part, accepting data between the effective and cleared security 
label, is done via the MLS attributes in the SELinux policy.  The 
mlsnetreadtoclr, mlsnetwritetoclr, and mlsnetwriteranged are the attributes 
you are likely the most relevant; the related SELinux policy interfaces can be 
found in the kernel/mls.if interface file and are all named 'mls_socket_*'.

-- 
paul moore
www.paul-moore.com


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.