From: "Paul Moore" <paul.moore@hp.com>
To: selinux@tycho.nsa.gov
Cc: cpebenito@tresys.com, Paul Moore <paul.moore@hp.com>
Subject: [PATCHv2 1/5] Use the netmsg initial SID for NetLabel connections
Date: Thu, 21 Jun 2007 19:15:08 -0400 [thread overview]
Message-ID: <20070621232049.621307311@hp.com> (raw)
In-Reply-To: 20070621231507.402982591@hp.com
This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
policy/mls | 5
policy/modules/kernel/corenetwork.if.in | 244 +++++++++++++++++++++++++++++++-
policy/modules/kernel/corenetwork.te.in | 7
policy/modules/kernel/kernel.if | 69 +++------
policy/modules/kernel/kernel.te | 1
5 files changed, 275 insertions(+), 51 deletions(-)
Index: refpolicy_svn_repo/policy/mls
===================================================================
--- refpolicy_svn_repo.orig/policy/mls
+++ refpolicy_svn_repo/policy/mls
@@ -182,11 +182,12 @@ mlsconstrain { socket tcp_socket udp_soc
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
-# used by netlabel to restrict normal domains to same level connections
+# used by netlabel to restrict normal domains to same level connections unless the connection is unlabeled
mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
(( l1 eq l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsnetread ));
+ ( t1 == mlsnetread ) or
+ ( t2 == unlabeled_t ));
# these access vectors have no MLS restrictions
# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in
+++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
@@ -1565,6 +1565,12 @@ interface(`corenet_dontaudit_udp_bind_al
## non-encrypted (no IPSEC) network
## session.
## </summary>
+## <desc>
+## <p>
+## The corenet_all_recvfrom_unlabeled() interface should be used instead
+## of this one.
+## </p>
+## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
@@ -1581,6 +1587,12 @@ interface(`corenet_non_ipsec_sendrecv',`
## messages on a non-encrypted (no IPSEC) network
## session.
## </summary>
+## <desc>
+## <p>
+## The corenet_dontaudit_all_recvfrom_unlabeled() interface should be
+## used instead of this one.
+## </p>
+## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
@@ -1601,8 +1613,31 @@ interface(`corenet_dontaudit_non_ipsec_s
## </summary>
## </param>
#
-interface(`corenet_tcp_recv_netlabel',`
+interface(`corenet_tcp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Receive TCP packets from an unlabled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_recvfrom_unlabeled',`
kernel_tcp_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_sendrecv_unlabeled_association($1)
')
########################################
@@ -1616,8 +1651,32 @@ interface(`corenet_tcp_recv_netlabel',`
## </summary>
## </param>
#
-interface(`corenet_dontaudit_tcp_recv_netlabel',`
+interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive TCP packets from an unlabeled
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_recvfrom_unlabeled',`
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
')
########################################
@@ -1630,8 +1689,31 @@ interface(`corenet_dontaudit_tcp_recv_ne
## </summary>
## </param>
#
-interface(`corenet_udp_recv_netlabel',`
+interface(`corenet_udp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Receive UDP packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_recvfrom_unlabeled',`
kernel_udp_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_sendrecv_unlabeled_association($1)
')
########################################
@@ -1645,8 +1727,32 @@ interface(`corenet_udp_recv_netlabel',`
## </summary>
## </param>
#
-interface(`corenet_dontaudit_udp_recv_netlabel',`
+interface(`corenet_dontaudit_udp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive UDP packets from an unlabeled
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_recvfrom_unlabeled',`
kernel_dontaudit_udp_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
')
########################################
@@ -1659,8 +1765,31 @@ interface(`corenet_dontaudit_udp_recv_ne
## </summary>
## </param>
#
-interface(`corenet_raw_recv_netlabel',`
+interface(`corenet_raw_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Receive Raw IP packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_recvfrom_unlabeled',`
kernel_raw_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_sendrecv_unlabeled_association($1)
')
########################################
@@ -1674,8 +1803,111 @@ interface(`corenet_raw_recv_netlabel',`
## </summary>
## </param>
#
-interface(`corenet_dontaudit_raw_recv_netlabel',`
+interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive Raw IP packets from an unlabeled
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
+ kernel_dontaudit_raw_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+## Receive packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_all_recvfrom_unlabeled',`
+ kernel_tcp_recvfrom_unlabeled($1)
+ kernel_udp_recvfrom_unlabeled($1)
+ kernel_raw_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+## Receive packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_all_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
+ kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+ kernel_dontaudit_udp_recvfrom_unlabeled($1)
kernel_dontaudit_raw_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
')
########################################
Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.te.in
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.te.in
+++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.te.in
@@ -37,6 +37,13 @@ dev_node(tun_tap_device_t)
type client_packet_t, packet_type, client_packet_type;
#
+# The netlabel_peer_t is used by the kernel's NetLabel subsystem for network
+# connections using NetLabel which do not carry full SELinux contexts.
+#
+type netlabel_peer_t;
+sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
+
+#
# port_t is the default type of INET port numbers.
#
type port_t, port_type;
Index: refpolicy_svn_repo/policy/modules/kernel/kernel.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.if
+++ refpolicy_svn_repo/policy/modules/kernel/kernel.if
@@ -2198,17 +2198,14 @@ interface(`kernel_dontaudit_sendrecv_unl
########################################
## <summary>
-## Receive TCP packets from a NetLabel connection.
+## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
## <p>
-## Receive TCP packets from a NetLabel connection, NetLabel is an
-## explicit packet labeling framework which implements CIPSO and
-## similar protocols.
+## Receive TCP packets from an unlabeled connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_tcp_recv_netlabel() should
+## The corenetwork interface corenet_tcp_recv_unlabeled() should
## be used instead of this one.
## </p>
## </desc>
@@ -2228,19 +2225,17 @@ interface(`kernel_tcp_recvfrom_unlabeled
########################################
## <summary>
-## Do not audit attempts to receive TCP packets from a NetLabel
-## connection.
+## Do not audit attempts to receive TCP packets from an unlabeled
+## connection.
## </summary>
## <desc>
## <p>
-## Do not audit attempts to receive TCP packets from a NetLabel
-## connection. NetLabel is an explicit packet labeling framework
-## which implements CIPSO and similar protocols.
+## Do not audit attempts to receive TCP packets from an unlabeled
+## connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_dontaudit_tcp_recv_netlabel() should
-## be used instead of this one.
+## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
+## should be used instead of this one.
## </p>
## </desc>
## <param name="domain">
@@ -2259,17 +2254,14 @@ interface(`kernel_dontaudit_tcp_recvfrom
########################################
## <summary>
-## Receive UDP packets from a NetLabel connection.
+## Receive UDP packets from an unlabeled connection.
## </summary>
## <desc>
## <p>
-## Receive UDP packets from a NetLabel connection, NetLabel is an
-## explicit packet labeling framework which implements CIPSO and
-## similar protocols.
+## Receive UDP packets from an unlabeled connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_udp_recv_netlabel() should
+## The corenetwork interface corenet_udp_recv_unlabeled() should
## be used instead of this one.
## </p>
## </desc>
@@ -2289,19 +2281,17 @@ interface(`kernel_udp_recvfrom_unlabeled
########################################
## <summary>
-## Do not audit attempts to receive UDP packets from a NetLabel
-## connection.
+## Do not audit attempts to receive UDP packets from an unlabeled
+## connection.
## </summary>
## <desc>
## <p>
-## Do not audit attempts to receive UDP packets from a NetLabel
-## connection. NetLabel is an explicit packet labeling framework
-## which implements CIPSO and similar protocols.
+## Do not audit attempts to receive UDP packets from an unlabeled
+## connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_dontaudit_udp_recv_netlabel() should
-## be used instead of this one.
+## The corenetwork interface corenet_dontaudit_udp_recv_unlabeled()
+## should be used instead of this one.
## </p>
## </desc>
## <param name="domain">
@@ -2320,17 +2310,14 @@ interface(`kernel_dontaudit_udp_recvfrom
########################################
## <summary>
-## Receive Raw IP packets from a NetLabel connection.
+## Receive Raw IP packets from an unlabeled connection.
## </summary>
## <desc>
## <p>
-## Receive Raw IP packets from a NetLabel connection, NetLabel is an
-## explicit packet labeling framework which implements CIPSO and
-## similar protocols.
+## Receive Raw IP packets from an unlabeled connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_raw_recv_netlabel() should
+## The corenetwork interface corenet_raw_recv_unlabeled() should
## be used instead of this one.
## </p>
## </desc>
@@ -2350,19 +2337,17 @@ interface(`kernel_raw_recvfrom_unlabeled
########################################
## <summary>
-## Do not audit attempts to receive Raw IP packets from a NetLabel
-## connection.
+## Do not audit attempts to receive Raw IP packets from an unlabeled
+## connection.
## </summary>
## <desc>
## <p>
-## Do not audit attempts to receive Raw IP packets from a NetLabel
-## connection. NetLabel is an explicit packet labeling framework
-## which implements CIPSO and similar protocols.
+## Do not audit attempts to receive Raw IP packets from an unlabeled
+## connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_dontaudit_raw_recv_netlabel() should
-## be used instead of this one.
+## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
+## should be used instead of this one.
## </p>
## </desc>
## <param name="domain">
Index: refpolicy_svn_repo/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.te
+++ refpolicy_svn_repo/policy/modules/kernel/kernel.te
@@ -153,7 +153,6 @@ sid icmp_socket gen_context(system_u:ob
sid igmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid init gen_context(system_u:object_r:unlabeled_t,s0)
sid kmod gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-sid netmsg gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid policy gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid scmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0)
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-06-21 23:21 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-21 23:15 [PATCHv2 0/5] Labeled network policy patches Paul Moore
2007-06-21 23:15 ` Paul Moore [this message]
2007-06-21 23:15 ` [PATCHv2 2/5] Add NetLabel labeled and unlabeled support to the system domains Paul Moore
2007-06-21 23:15 ` [PATCHv2 3/5] Add NetLabel labeled and unlabeled support to the service domains Paul Moore
2007-06-21 23:15 ` [PATCHv2 4/5] Add NetLabel labeled and unlabeled support to the application domains Paul Moore
2007-06-21 23:15 ` [PATCHv2 5/5] Add NetLabel labeled and unlabeled support to the administrative domains Paul Moore
2007-06-27 15:38 ` [PATCHv2 0/5] Labeled network policy patches Christopher J. PeBenito
2007-06-27 19:38 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070621232049.621307311@hp.com \
--to=paul.moore@hp.com \
--cc=cpebenito@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.