changes in ~2.6.13 break postfix policy?

changes in ~2.6.13 break postfix policy?

[Erich Schubert]

Hi,
I'm running the same policy on a couple of similar systems.
All of them run postfix, and logcheck (so they frequently do send
emails)

On the systems running 2.6.13 or 2.6.14 I get errors similar to the
following:
avc:  denied  { read } for  pid=3247 comm="pickup" name="[197650]"
dev=sockfs ino=197650 scontext=system_u:system_r:postfix_pickup_t
tcontext=system_u:system_r:postfix_pickup_t tclass=sock_file
avc:  denied  { write } for  pid=3247 comm="pickup" name="[197650]"
dev=sockfs ino=197650 scontext=system_u:system_r:postfix_pickup_t
tcontext=system_u:system_r:postfix_pickup_t tclass=sock_file
avc:  denied  { getattr } for  pid=14416 comm="qmgr" name="[197661]"
dev=sockfs ino=197661 scontext=system_u:system_r:postfix_qmgr_t
tcontext=system_u:system_r:postfix_qmgr_t tclass=sock_file
for just about every socket postfix uses.

The socket "files" all have system_u:object_r:postfix_private_t, though.

I don't see the same errors on machines with an older selinux kernel.
Any idea whats wrong?

best regards,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
   To understand recursion you first need to understand recursion.   //\
   Nur der ist weise, der weiß, dass er es nicht ist. --- Sokrates   V_/_



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: changes in ~2.6.13 break postfix policy?

[Stephen Smalley]

On Fri, 2005-11-04 at 13:09 +0100, Erich Schubert wrote:
> Hi,
> I'm running the same policy on a couple of similar systems.
> All of them run postfix, and logcheck (so they frequently do send
> emails)
> 
> On the systems running 2.6.13 or 2.6.14 I get errors similar to the
> following:
> avc:  denied  { read } for  pid=3247 comm="pickup" name="[197650]"
> dev=sockfs ino=197650 scontext=system_u:system_r:postfix_pickup_t
> tcontext=system_u:system_r:postfix_pickup_t tclass=sock_file
> avc:  denied  { write } for  pid=3247 comm="pickup" name="[197650]"
> dev=sockfs ino=197650 scontext=system_u:system_r:postfix_pickup_t
> tcontext=system_u:system_r:postfix_pickup_t tclass=sock_file
> avc:  denied  { getattr } for  pid=14416 comm="qmgr" name="[197661]"
> dev=sockfs ino=197661 scontext=system_u:system_r:postfix_qmgr_t
> tcontext=system_u:system_r:postfix_qmgr_t tclass=sock_file
> for just about every socket postfix uses.
> 
> The socket "files" all have system_u:object_r:postfix_private_t, though.
> 
> I don't see the same errors on machines with an older selinux kernel.
> Any idea whats wrong?

This suggests that SELinux is mis-classifying socket inodes (which
should have *_socket classes) as socket file inodes (which have the
sock_file class).  In inode_doinit (upon d_instantiate), SELinux
classifies file inodes based on the inode mode, but both socket inodes
and socket file inodes have the same inode mode (S_IFSOCK).  However,
SELinux should be classifying socket inodes from its socket-specific
hooks (selinux_socket_post_create and selinux_socket_accept), so they
should be classified correctly.  Any subsequent invocation of
d_instantiate upon the socket inode shouldn't disturb the class already
set by the socket hooks, as it is no longer the initial default of file.

There was a change between 2.6.11 and 2.6.12 (removal of i_sock field
from struct inode, which allowed us to distinguish sockets from socket
files in inode_doinit itself) in the mainline kernel that required a
change to the way in which SELinux was classifying the inodes, but not
between 2.6.12 and 2.6.13 AFAIK.   Do you see the behavior with a 2.6.12
kernel as well?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: changes in ~2.6.13 break postfix policy?

[Erich Schubert]

Hi,
> between 2.6.12 and 2.6.13 AFAIK.   Do you see the behavior with a 2.6.12
> kernel as well?

I can't tell for sure where I see it. Actually I just noticed that I
don't see it on the main mailserver, which is running 2.6.13 currently.
So it must be related to something else on the systems... :-(
But that might be due to that system running in enforcing mode.

Postfix is that of debian stable. Init is that of debian unstable.

On the system where I can observe the problem for sure, I upgraded from
a self-compiled 2.6.8 to 2.6.13 (as of debian experimental) then to 2.6.14
(as of debian unstable). The problem appeared after 2.6.8

Regards,
Erich
-- 
     erich@(mucl.de|debian.org)      --      GPG Key ID: 4B3A135C     (o_
     Go away or i'll replace you with a very small shell script.      //\
 Jemanden zu lieben heißt glücklich zu sein, ihn glücklich zu sehen.  V_/_


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: changes in ~2.6.13 break postfix policy?

[Stephen Smalley]

On Fri, 2005-11-04 at 19:35 +0100, Erich Schubert wrote:
> Hi,
> > between 2.6.12 and 2.6.13 AFAIK.   Do you see the behavior with a 2.6.12
> > kernel as well?
> 
> I can't tell for sure where I see it. Actually I just noticed that I
> don't see it on the main mailserver, which is running 2.6.13 currently.
> So it must be related to something else on the systems... :-(
> But that might be due to that system running in enforcing mode.
> 
> Postfix is that of debian stable. Init is that of debian unstable.
> 
> On the system where I can observe the problem for sure, I upgraded from
> a self-compiled 2.6.8 to 2.6.13 (as of debian experimental) then to 2.6.14
> (as of debian unstable). The problem appeared after 2.6.8

Hmm...Russell reported a similar problem on 29 Oct about new sock_file
audit messages with recent kernels on Debian, but said he has not seen
the same behavior on Fedora.  Only SELinux-related patch in the Fedora
kernel (canonicalize getxattr) shouldn't be relevant, and is now in
Linus' -git tree for 2.6.15.  Where might one be able to obtain the
patches included in the Debian kernel?  Any direct use of sock_alloc()
is suspect; everything needs to use sock_create(), sock_create_kern(),
or sock_create_lite() in order to pick up the proper security
initialization of the socket.

Note to James:  Fedora kernel includes a patch that re-exports
sock_alloc and uses it for tux (linux-2.6-tux.patch), so that is broken,
although IIRC, you said that tux is fundamentally broken for SELinux
anyway.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: changes in ~2.6.13 break postfix policy?

[Erich Schubert]

Hi,
> Linus' -git tree for 2.6.15.  Where might one be able to obtain the
> patches included in the Debian kernel?  Any direct use of sock_alloc()

http://packages.debian.org/linux-image-2.6.14-1-686-smp
is the kernel I'm using. There is a link to the sourcecode.
All the linux-2.6 packages are built from the same codebase, so the
download for the source package is
http://ftp.debian.org/debian/pool/main/l/linux-2.6/linux-2.6_2.6.14.orig.tar.gz
http://ftp.debian.org/debian/pool/main/l/linux-2.6/linux-2.6_2.6.14-2.diff.gz
(or any other debian mirror)

With debian packages, the .orig.tar.gz file usually contains the
upstream provided source code unmodified (if possible by licence
restrictions, ocassionally single files have to be remove due to
licencing issues)
and the debian specific changes are in the .diff.gz file.

I did a quick search in the .diff.gz for "sock_", 0 matches; but I
didn't check the .orig.tar.gz file.

best regards,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
     You know we all became mathematicians for the same reason:     //\
                  we were lazy. --- Max Rosenlicht                  V_/_
   Jede Frau erwartet von einem Mann, dass er hält, was sie sich
                         von ihm verspricht.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: changes in ~2.6.13 break postfix policy?

[Stephen Smalley]

On Sat, 2005-11-05 at 00:53 +0100, Erich Schubert wrote:
> Hi,
> > Linus' -git tree for 2.6.15.  Where might one be able to obtain the
> > patches included in the Debian kernel?  Any direct use of sock_alloc()
> 
> http://packages.debian.org/linux-image-2.6.14-1-686-smp
> is the kernel I'm using. There is a link to the sourcecode.
> All the linux-2.6 packages are built from the same codebase, so the
> download for the source package is
> http://ftp.debian.org/debian/pool/main/l/linux-2.6/linux-2.6_2.6.14.orig.tar.gz
> http://ftp.debian.org/debian/pool/main/l/linux-2.6/linux-2.6_2.6.14-2.diff.gz
> (or any other debian mirror)
> 
> With debian packages, the .orig.tar.gz file usually contains the
> upstream provided source code unmodified (if possible by licence
> restrictions, ocassionally single files have to be remove due to
> licencing issues)
> and the debian specific changes are in the .diff.gz file.
> 
> I did a quick search in the .diff.gz for "sock_", 0 matches; but I
> didn't check the .orig.tar.gz file.

Yes, offhand, I don't see anything under patches-debian that looks
suspect.

Hmmm...can you supply any more info to help reproduce the bug?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: changes in ~2.6.13 break postfix policy?

[Erich Schubert]

Hi,
> Hmmm...can you supply any more info to help reproduce the bug?

I've upgraded a box of mine running a self-compiled 2.6.14-rc3 to
debians 2.6.14 - and the error has appeared on it, too.
So it's not caused by the policy, but either by some .config thing or a
patch in the debian kernel. I doubt that there has happened anything
relevant between rc3 and final...
I'm going to build a 2.6.14 from vanilla sources with the .config of my
installed debian kernel to narrow down.

best regards,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
                 Friends are those who reach out for                 //\
                   your hand but touch your heart.                   V_/_
   Wo befreundete Wege zusammenlaufen, da sieht die ganze Welt für
         eine Stunde wie eine Heimat aus. --- Herrmann Hesse



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: changes in ~2.6.13 break postfix policy?

[Stephen Smalley]

On Tue, 2005-11-08 at 20:31 +0100, Erich Schubert wrote:
> Hi,
> > Hmmm...can you supply any more info to help reproduce the bug?
> 
> I've upgraded a box of mine running a self-compiled 2.6.14-rc3 to
> debians 2.6.14 - and the error has appeared on it, too.
> So it's not caused by the policy, but either by some .config thing or a
> patch in the debian kernel. I doubt that there has happened anything
> relevant between rc3 and final...
> I'm going to build a 2.6.14 from vanilla sources with the .config of my
> installed debian kernel to narrow down.

Thanks.  Could you also send me a copy of that .config file for
reference?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: changes in ~2.6.13 break postfix policy?

[Stephen Smalley]

On Wed, 2005-11-09 at 08:36 -0500, Stephen Smalley wrote:
> On Tue, 2005-11-08 at 20:31 +0100, Erich Schubert wrote:
> > Hi,
> > > Hmmm...can you supply any more info to help reproduce the bug?
> > 
> > I've upgraded a box of mine running a self-compiled 2.6.14-rc3 to
> > debians 2.6.14 - and the error has appeared on it, too.
> > So it's not caused by the policy, but either by some .config thing or a
> > patch in the debian kernel. I doubt that there has happened anything
> > relevant between rc3 and final...
> > I'm going to build a 2.6.14 from vanilla sources with the .config of my
> > installed debian kernel to narrow down.
> 
> Thanks.  Could you also send me a copy of that .config file for
> reference?

Ok, I've tracked down the cause of this problem in the Debian kernels:
they are disabling CONFIG_SECURITY_NETWORK, which disables all of the
LSM socket hooks.  Thus, SELinux never gets a chance to classify the
socket inodes as socket objects via its selinux_socket_* hook functions,
and SELinux can no longer distinguish them from sock files at
d_instantiate time because of the removal of the i_sock field in 2.6.12
(which we didn't view as a problem at the time because we had the socket
hooks to address the issue).

I'd suggest asking the Debian kernel maintainers to entertain the notion
of enabling CONFIG_SECURITY_NETWORK.  If they are being driven by
performance considerations (and have actual data to show that the mere
presence of the LSM hooks is having real impact, even with selinux=0),
then possibly CONFIG_SECURITY_NETWORK could be tightened up to only
apply to the hooks that are on the critical path (e.g. sock_rcv_skb is
likely the largest concern).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: changes in ~2.6.13 break postfix policy?

[Luke Kenneth Casson Leighton]

raised as 338543@bugs.debian.org.

On Thu, Nov 10, 2005 at 01:50:24PM -0500, Stephen Smalley wrote:

> On Wed, 2005-11-09 at 08:36 -0500, Stephen Smalley wrote:

> > On Tue, 2005-11-08 at 20:31 +0100, Erich Schubert wrote:
> > > Hi,
> > > > Hmmm...can you supply any more info to help reproduce the bug?
> > > 
> > > I've upgraded a box of mine running a self-compiled 2.6.14-rc3 to
> > > debians 2.6.14 - and the error has appeared on it, too.
> > > [...]
 
> Ok, I've tracked down the cause of this problem in the Debian kernels:
> they are disabling CONFIG_SECURITY_NETWORK, which disables all of the
> LSM socket hooks.  Thus, SELinux never gets a chance to classify the

> [...]

> I'd suggest asking the Debian kernel maintainers to entertain the notion
> of enabling CONFIG_SECURITY_NETWORK.  If they are being driven by


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: changes in ~2.6.13 break postfix policy?

[Stephen Smalley]

On Fri, 2005-11-11 at 12:05 +0000, Luke Kenneth Casson Leighton wrote:
> raised as 338543@bugs.debian.org.

Erich also posted the issue to the debian-kernel mailing list, and Jurij
Smakov responded that CONFIG_SECURITY_NETWORK will be enabled in the
2.6.14-3 Debian kernel.

We should likely make SELinux depend on SECURITY_NETWORK in its Kconfig
since this is now necessary, and drop the #if's from hooks.c for it.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: changes in ~2.6.13 break postfix policy?

[James Morris]

On Mon, 14 Nov 2005, Stephen Smalley wrote:

> We should likely make SELinux depend on SECURITY_NETWORK in its Kconfig
> since this is now necessary, and drop the #if's from hooks.c for it.

Ok.  I also wonder how whether we still need CONFIG_SECURITY_NETWORK at 
all.


- James
-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: changes in ~2.6.13 break postfix policy?

[Stephen Smalley]

On Mon, 2005-11-14 at 18:07 -0500, James Morris wrote:
> On Mon, 14 Nov 2005, Stephen Smalley wrote:
> 
> > We should likely make SELinux depend on SECURITY_NETWORK in its Kconfig
> > since this is now necessary, and drop the #if's from hooks.c for it.
> 
> Ok.  I also wonder how whether we still need CONFIG_SECURITY_NETWORK at 
> all.

Possibly not.  Might be worth running network benchmarks with it
disabled and enabled, with selinux=0 in both cases, just to see what
overhead the LSM hooks impose (if any).  sock_rcv_skb is likely the only
real concern.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: changes in ~2.6.13 break postfix policy?

[James Morris]

On Tue, 15 Nov 2005, Stephen Smalley wrote:

> On Mon, 2005-11-14 at 18:07 -0500, James Morris wrote:
> > Ok.  I also wonder how whether we still need CONFIG_SECURITY_NETWORK at 
> > all.
> 
> Possibly not.  Might be worth running network benchmarks with it
> disabled and enabled, with selinux=0 in both cases, just to see what
> overhead the LSM hooks impose (if any).  sock_rcv_skb is likely the only
> real concern.

Even if it does impose an overhead, I don't see that it's useful as an 
option.  People generally either enable LSM for SELinux or not.


- James
-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: changes in ~2.6.13 break postfix policy?

[Stephen Smalley]

On Tue, 2005-11-15 at 07:59 -0500, James Morris wrote:
> On Tue, 15 Nov 2005, Stephen Smalley wrote:
> 
> > On Mon, 2005-11-14 at 18:07 -0500, James Morris wrote:
> > > Ok.  I also wonder how whether we still need CONFIG_SECURITY_NETWORK at 
> > > all.
> > 
> > Possibly not.  Might be worth running network benchmarks with it
> > disabled and enabled, with selinux=0 in both cases, just to see what
> > overhead the LSM hooks impose (if any).  sock_rcv_skb is likely the only
> > real concern.
> 
> Even if it does impose an overhead, I don't see that it's useful as an 
> option.  People generally either enable LSM for SELinux or not.

True.  However, I can envision people who want to apply SELinux for
local confinement of processes without necessarily caring about the
network controls, and I can further envision them not wanting the
performance overhead on the network path created by e.g. the
sock_rcv_skb hook and the netfilter hooks.  So that seems like a
reasonable configuration option.  The current CONFIG_SECURITY_NETWORK
isn't very useful in that respect because it covers not only those
networking checks but also the socket hooks, including the checking for
Unix/local sockets.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: changes in ~2.6.13 break postfix policy?

[James Morris]

On Tue, 15 Nov 2005, Stephen Smalley wrote:

> True.  However, I can envision people who want to apply SELinux for
> local confinement of processes without necessarily caring about the
> network controls, and I can further envision them not wanting the
> performance overhead on the network path created by e.g. the
> sock_rcv_skb hook and the netfilter hooks.  So that seems like a
> reasonable configuration option.  The current CONFIG_SECURITY_NETWORK
> isn't very useful in that respect because it covers not only those
> networking checks but also the socket hooks, including the checking for
> Unix/local sockets.

Well, we could add an SELinux-only config option for local confinement 
if someone asks for it.


- James
-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.