[PATCH 0/2] NetLabel policy additions for the reference policy

[PATCH 0/2] NetLabel policy additions for the reference policy

[paul.moore]

This patch is an updated version of the RFC patches I sent out to the list
yesterday for comments.  Since yesterday I have made changes based on Chris'
comments as well as changes for problems found during testing today.

Please review and if it is acceptable please merge this into the reference
policy.

Thanks.

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 1/2] Reference policy: NetLabel policy additions

[paul.moore]

This patch adds basic NetLabel support to the reference policy.

---
 refpolicy/policy/modules/kernel/corenetwork.if.in |   58 ++++++++++++
 refpolicy/policy/modules/kernel/kernel.if         |  102 ++++++++++++++++++++++
 refpolicy/policy/modules/system/netlabel.fc       |    7 +
 refpolicy/policy/modules/system/netlabel.if       |   58 ++++++++++++
 refpolicy/policy/modules/system/netlabel.te       |   34 +++++++
 refpolicy/policy/modules/system/userdomain.if     |    2 
 refpolicy/policy/modules/system/userdomain.te     |    2 
 7 files changed, 263 insertions(+)

Index: refpolicy.lblnet/refpolicy/policy/modules/kernel/corenetwork.if.in
===================================================================
--- refpolicy.lblnet.orig/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ refpolicy.lblnet/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -1436,6 +1436,64 @@ interface(`corenet_dontaudit_non_ipsec_s
 
 ########################################
 ## <summary>
+##      Receive TCP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_recv_netlabel',`
+	kernel_tcp_recv_netlabel($1)
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive TCP packets from a NetLabel
+##      connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_recv_netlabel',`
+	kernel_dontaudit_tcp_recv_netlabel($1)
+')
+
+########################################
+## <summary>
+##      Receive UDP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_recv_netlabel',`
+	kernel_udp_recv_netlabel($1)
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive UDP packets from a NetLabel
+##      connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_recv_netlabel',`
+	kernel_dontaudit_udp_recv_netlabel($1)
+')
+
+########################################
+## <summary>
 ##	Send generic client packets.
 ## </summary>
 ## <param name="domain">
Index: refpolicy.lblnet/refpolicy/policy/modules/kernel/kernel.if
===================================================================
--- refpolicy.lblnet.orig/refpolicy/policy/modules/kernel/kernel.if
+++ refpolicy.lblnet/refpolicy/policy/modules/kernel/kernel.if
@@ -2205,6 +2205,108 @@ interface(`kernel_dontaudit_sendrecv_unl
 
 ########################################
 ## <summary>
+##      Receive TCP packets from a NetLabel connection.
+## </summary>
+## <desc>
+##	<p>
+##      Receive TCP packets from a NetLabel connection, NetLabel is an
+##      explicit packet labeling framework which implements CIPSO and
+##      similar protocols.
+##      </p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_tcp_recv_netlabel',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive TCP packets from a NetLabel
+##      connection.
+## </summary>
+## <desc>
+##	<p>
+##      Do not audit attempts to receive TCP packets from a NetLabel
+##      connection.  NetLabel is an explicit packet labeling framework
+##      which implements CIPSO and similar protocols.
+##      </p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_tcp_recv_netlabel',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Receive UDP packets from a NetLabel connection.
+## </summary>
+## <desc>
+##	<p>
+##      Receive UDP packets from a NetLabel connection, NetLabel is an
+##      explicit packet labeling framework which implements CIPSO and
+##      similar protocols.
+##      </p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_udp_recv_netlabel',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive UDP packets from a NetLabel
+##      connection.
+## </summary>
+## <desc>
+##	<p>
+##      Do not audit attempts to receive UDP packets from a NetLabel
+##      connection.  NetLabel is an explicit packet labeling framework
+##      which implements CIPSO and similar protocols.
+##      </p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_udp_recv_netlabel',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
 ##	Send and receive unlabeled packets.
 ## </summary>
 ## <desc>
Index: refpolicy.lblnet/refpolicy/policy/modules/system/netlabel.fc
===================================================================
--- /dev/null
+++ refpolicy.lblnet/refpolicy/policy/modules/system/netlabel.fc
@@ -0,0 +1,7 @@
+
+########################################
+#
+# netlabel file contexts
+#
+
+/sbin/netlabelctl		--	gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
Index: refpolicy.lblnet/refpolicy/policy/modules/system/netlabel.if
===================================================================
--- /dev/null
+++ refpolicy.lblnet/refpolicy/policy/modules/system/netlabel.if
@@ -0,0 +1,58 @@
+## <summary>NetLabel packet labeling</summary>
+
+########################################
+## <summary>
+##      Execute netlabel_mgmt in the netlabel_mgmt domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      The type of the process performing this action.
+##      </summary>
+## </param>
+#
+interface(`netlabel_domtrans_mgmt',`
+        gen_require(`
+                type netlabel_mgmt_t, netlabel_mgmt_exec_t;
+        ')
+
+	corecmd_search_sbin($1)
+	domain_auto_trans($1,netlabel_mgmt_exec_t,netlabel_mgmt_t)
+
+	allow $1 netlabel_mgmt_t:fd use;
+	allow netlabel_mgmt_t $1:fd use;
+	allow netlabel_mgmt_t $1:fifo_file rw_file_perms;
+	allow netlabel_mgmt_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##      Execute netlabel_mgmt in the netlabel_mgmt domain, and
+##      allow the specified role the netlabel_mgmt domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      The type of the process performing this action.
+##      </summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the netlabel_mgmt domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the netlabel_mgmt domain to use.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`netlabel_run_mgmt',`
+	gen_require(`
+		type netlabel_mgmt_t;
+	')
+
+	corecmd_search_sbin($1)
+	netlabel_domtrans_mgmt($1)
+	role $2 types netlabel_mgmt_t;
+	allow netlabel_mgmt_t $3:chr_file rw_term_perms;
+')
Index: refpolicy.lblnet/refpolicy/policy/modules/system/netlabel.te
===================================================================
--- /dev/null
+++ refpolicy.lblnet/refpolicy/policy/modules/system/netlabel.te
@@ -0,0 +1,34 @@
+
+policy_module(netlabel,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type netlabel_mgmt_t;
+type netlabel_mgmt_exec_t;
+
+domain_type(netlabel_mgmt_t)
+domain_entry_file(netlabel_mgmt_t,netlabel_mgmt_exec_t)
+
+########################################
+#
+# NetLabel Management Tools Local policy
+#
+
+# allow access to newrole fds
+seutil_use_newrole_fds(netlabel_mgmt_t)
+
+# allow access to shared libraries
+libs_use_ld_so(netlabel_mgmt_t)
+libs_use_shared_libs(netlabel_mgmt_t)
+
+# allow read access to network state
+kernel_read_network_state(netlabel_mgmt_t)
+
+# allow communication with kernel subsystem
+allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
+
+# allow CAP_NET_ADMIN to modify the kernel subsystem configuration
+allow netlabel_mgmt_t self:capability net_admin;
Index: refpolicy.lblnet/refpolicy/policy/modules/system/userdomain.if
===================================================================
--- refpolicy.lblnet.orig/refpolicy/policy/modules/system/userdomain.if
+++ refpolicy.lblnet/refpolicy/policy/modules/system/userdomain.if
@@ -512,6 +512,8 @@ template(`userdom_basic_networking_templ
 	corenet_udp_sendrecv_all_nodes($1_t)
 	corenet_tcp_sendrecv_all_ports($1_t)
 	corenet_udp_sendrecv_all_ports($1_t)
+	corenet_tcp_recv_netlabel($1_t)
+	corenet_udp_recv_netlabel($1_t)
 	corenet_tcp_connect_all_ports($1_t)
 	corenet_sendrecv_all_client_packets($1_t)
 ')
Index: refpolicy.lblnet/refpolicy/policy/modules/system/userdomain.te
===================================================================
--- refpolicy.lblnet.orig/refpolicy/policy/modules/system/userdomain.te
+++ refpolicy.lblnet/refpolicy/policy/modules/system/userdomain.te
@@ -155,10 +155,12 @@ ifdef(`strict_policy',`
 	        logging_read_generic_logs(secadm_t)
 		userdom_dontaudit_append_staff_home_content_files(secadm_t)
 		userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
+		netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
 	',`
 		logging_manage_audit_log(sysadm_t)
 		logging_manage_audit_config(sysadm_t)
 		logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
+		netlabel_run_mgmt(sysadm_t,sysadm_r,admin_terminal)
 	')
 
 	tunable_policy(`allow_ptrace',`

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 2/2] Reference policy: Restrict NetLabel to same MLS label connections by default

[paul.moore]

This patch adjusts the {tcp,udp}_socket recvfrom permissions to only allow
same MLS label connections.

---
 refpolicy/policy/mls |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletion(-)

Index: refpolicy.lblnet/refpolicy/policy/mls
===================================================================
--- refpolicy.lblnet.orig/refpolicy/policy/mls
+++ refpolicy.lblnet/refpolicy/policy/mls
@@ -165,7 +165,7 @@ mlsconstrain { socket tcp_socket udp_soc
 	( h1 dom h2 );
 
 # the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
 	(( l1 dom l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsnetread ));
@@ -181,6 +181,12 @@ mlsconstrain { socket tcp_socket udp_soc
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsnetwrite ));
 
+# used by netlabel to restrict normal domains to same level connections
+mlsconstrain { tcp_socket udp_socket } recvfrom
+	(( l1 eq l2 ) or
+	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsnetread ));
+
 # these access vectors have no MLS restrictions
 # { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
 #

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/2] Reference policy: NetLabel policy additions

[Christopher J. PeBenito]

On Wed, 2006-10-11 at 17:29 -0400, paul.moore@hp.com wrote:
> This patch adds basic NetLabel support to the reference policy.

Merged to the labeled networking branch.  A couple notes, mostly
nitpicking that I skipped on your RFC email:

> +interface(`kernel_dontaudit_tcp_recv_netlabel',`
> +	gen_require(`
> +		type unlabeled_t;
> +	')
> +
> +	allow $1 unlabeled_t:tcp_socket recvfrom;
> +')

> +interface(`kernel_tcp_recv_netlabel',`
> +	gen_require(`
> +		type unlabeled_t;
> +	')
> +
> +	dontaudit $1 unlabeled_t:tcp_socket recvfrom;
> +')

Fixed the above interfaces, you had the allow interface dontaudit and
vice versa, I didn't notice these the first time around.  I also tweaked
the names a little.

> +# allow communication with kernel subsystem
> +allow netlabel_mgmt_t self:netlink_socket create_socket_perms;

I'm guessing we don't have time to fix the kernel to make this a
specified netlink socket, rather than using the fallback generic netlink
socket?

I also removed some of the comments, since they seemed obvious because
they were almost the same as the interface names.

> @@ -512,6 +512,8 @@ template(`userdom_basic_networking_templ
>  	corenet_udp_sendrecv_all_nodes($1_t)
>  	corenet_tcp_sendrecv_all_ports($1_t)
>  	corenet_udp_sendrecv_all_ports($1_t)
> +	corenet_tcp_recv_netlabel($1_t)
> +	corenet_udp_recv_netlabel($1_t)
>  	corenet_tcp_connect_all_ports($1_t)
>  	corenet_sendrecv_all_client_packets($1_t)
>  ')

I put this in ifdef enable_mls.  It doesn't hurt non-mls, but might as
well keep things clean.

> @@ -155,10 +155,12 @@ ifdef(`enable_mls',`
>  	        logging_read_generic_logs(secadm_t)
>  		userdom_dontaudit_append_staff_home_content_files(secadm_t)
>  		userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
> +		netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
>  	',`
>  		logging_manage_audit_log(sysadm_t)
>  		logging_manage_audit_config(sysadm_t)
>  		logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
> +		netlabel_run_mgmt(sysadm_t,sysadm_r,admin_terminal)
>  	')

I thought that netlabel just had the mls level.  Wouldn't that make it
useless on a non mls policy (the second addition is for non mls)?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/2] Reference policy: NetLabel policy additions

[Paul Moore]

Christopher J. PeBenito wrote:
> On Wed, 2006-10-11 at 17:29 -0400, paul.moore@hp.com wrote:
> 
>>This patch adds basic NetLabel support to the reference policy.
> 
> Merged to the labeled networking branch.  A couple notes, mostly
> nitpicking that I skipped on your RFC email:

Thanks!  I'll grab the version you checked in and give it a quick test just to
make sure.

>>+# allow communication with kernel subsystem
>>+allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
>  
> I'm guessing we don't have time to fix the kernel to make this a
> specified netlink socket, rather than using the fallback generic netlink
> socket?

No, the problem is that it is a much larger problem than just NetLabel, it's the
genetlink mechanism in general.  I heard a rumor that someone was working on
adding proper SELinux genetlink support but I haven't seen anything posted.  If
nothing appears in the next month or two I'll start working on something for
genetlink (I also owe Jamal some comments for his genetlink document).

>>@@ -155,10 +155,12 @@ ifdef(`enable_mls',`
>> 	        logging_read_generic_logs(secadm_t)
>> 		userdom_dontaudit_append_staff_home_content_files(secadm_t)
>> 		userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
>>+		netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
>> 	',`
>> 		logging_manage_audit_log(sysadm_t)
>> 		logging_manage_audit_config(sysadm_t)
>> 		logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
>>+		netlabel_run_mgmt(sysadm_t,sysadm_r,admin_terminal)
>> 	')
> 
> 
> I thought that netlabel just had the mls level.  Wouldn't that make it
> useless on a non mls policy (the second addition is for non mls)?

There is an argument that it would still apply for the mcs case as well,
although the quality of that argument is debatable.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.