* [PATCH] SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel
@ 2007-06-29 15:48 Paul Moore
2007-06-29 18:58 ` James Morris
0 siblings, 1 reply; 3+ messages in thread
From: Paul Moore @ 2007-06-29 15:48 UTC (permalink / raw)
To: selinux
These changes will make NetLabel behave like labeled IPsec where there is an
access check for both labeled and unlabeled packets as well as providing the
ability to restrict domains to receiving only labeled packets when NetLabel is
in use. The changes to the policy are straight forward with the following
necessary to receive labeled traffic (with SECINITSID_NETMSG defined as
"netlabel_peer_t"):
allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
The policy for unlabeled traffic would be:
allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
These policy changes, as well as more general NetLabel support, are included in
the SELinux Reference Policy SVN tree, r2352 or later. Users who enable
NetLabel support in the kernel are strongly encouraged to upgrade their policy
to avoid network problems.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
security/selinux/hooks.c | 21 +++++++++++----------
security/selinux/netlabel.c | 34 +++++++++++++---------------------
2 files changed, 24 insertions(+), 31 deletions(-)
Index: net-2.6.23_netmsg/security/selinux/hooks.c
===================================================================
--- net-2.6.23_netmsg.orig/security/selinux/hooks.c
+++ net-2.6.23_netmsg/security/selinux/hooks.c
@@ -3124,17 +3124,19 @@ static int selinux_parse_skb(struct sk_b
/**
* selinux_skb_extlbl_sid - Determine the external label of a packet
* @skb: the packet
- * @base_sid: the SELinux SID to use as a context for MLS only external labels
* @sid: the packet's SID
*
* Description:
* Check the various different forms of external packet labeling and determine
- * the external SID for the packet.
+ * the external SID for the packet. If only one form of external labeling is
+ * present then it is used, if both labeled IPsec and NetLabel labels are
+ * present then the SELinux type information is taken from the labeled IPsec
+ * SA and the MLS sensitivity label information is taken from the NetLabel
+ * security attributes. This bit of "magic" is done in the call to
+ * selinux_netlbl_skbuff_getsid().
*
*/
-static void selinux_skb_extlbl_sid(struct sk_buff *skb,
- u32 base_sid,
- u32 *sid)
+static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
{
u32 xfrm_sid;
u32 nlbl_sid;
@@ -3142,10 +3144,9 @@ static void selinux_skb_extlbl_sid(struc
selinux_skb_xfrm_sid(skb, &xfrm_sid);
if (selinux_netlbl_skbuff_getsid(skb,
(xfrm_sid == SECSID_NULL ?
- base_sid : xfrm_sid),
+ SECINITSID_NETMSG : xfrm_sid),
&nlbl_sid) != 0)
nlbl_sid = SECSID_NULL;
-
*sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
}
@@ -3690,7 +3691,7 @@ static int selinux_socket_getpeersec_dgr
if (sock && sock->sk->sk_family == PF_UNIX)
selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
else if (skb)
- selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid);
+ selinux_skb_extlbl_sid(skb, &peer_secid);
if (peer_secid == SECSID_NULL)
err = -EINVAL;
@@ -3751,7 +3752,7 @@ static int selinux_inet_conn_request(str
u32 newsid;
u32 peersid;
- selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid);
+ selinux_skb_extlbl_sid(skb, &peersid);
if (peersid == SECSID_NULL) {
req->secid = sksec->sid;
req->peer_secid = SECSID_NULL;
@@ -3789,7 +3790,7 @@ static void selinux_inet_conn_establishe
{
struct sk_security_struct *sksec = sk->sk_security;
- selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid);
+ selinux_skb_extlbl_sid(skb, &sksec->peer_sid);
}
static void selinux_req_classify_flow(const struct request_sock *req,
Index: net-2.6.23_netmsg/security/selinux/netlabel.c
===================================================================
--- net-2.6.23_netmsg.orig/security/selinux/netlabel.c
+++ net-2.6.23_netmsg/security/selinux/netlabel.c
@@ -158,9 +158,7 @@ int selinux_netlbl_skbuff_getsid(struct
netlbl_secattr_init(&secattr);
rc = netlbl_skbuff_getattr(skb, &secattr);
if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
- rc = security_netlbl_secattr_to_sid(&secattr,
- base_sid,
- sid);
+ rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid);
else
*sid = SECSID_NULL;
netlbl_secattr_destroy(&secattr);
@@ -198,7 +196,7 @@ void selinux_netlbl_sock_graft(struct so
if (netlbl_sock_getattr(sk, &secattr) == 0 &&
secattr.flags != NETLBL_SECATTR_NONE &&
security_netlbl_secattr_to_sid(&secattr,
- SECINITSID_UNLABELED,
+ SECINITSID_NETMSG,
&nlbl_peer_sid) == 0)
sksec->peer_sid = nlbl_peer_sid;
netlbl_secattr_destroy(&secattr);
@@ -295,38 +293,32 @@ int selinux_netlbl_sock_rcv_skb(struct s
struct avc_audit_data *ad)
{
int rc;
- u32 netlbl_sid;
- u32 recv_perm;
+ u32 nlbl_sid;
+ u32 perm;
- rc = selinux_netlbl_skbuff_getsid(skb,
- SECINITSID_UNLABELED,
- &netlbl_sid);
+ rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &nlbl_sid);
if (rc != 0)
return rc;
-
- if (netlbl_sid == SECSID_NULL)
- return 0;
+ if (nlbl_sid == SECSID_NULL)
+ nlbl_sid = SECINITSID_UNLABELED;
switch (sksec->sclass) {
case SECCLASS_UDP_SOCKET:
- recv_perm = UDP_SOCKET__RECVFROM;
+ perm = UDP_SOCKET__RECVFROM;
break;
case SECCLASS_TCP_SOCKET:
- recv_perm = TCP_SOCKET__RECVFROM;
+ perm = TCP_SOCKET__RECVFROM;
break;
default:
- recv_perm = RAWIP_SOCKET__RECVFROM;
+ perm = RAWIP_SOCKET__RECVFROM;
}
- rc = avc_has_perm(sksec->sid,
- netlbl_sid,
- sksec->sclass,
- recv_perm,
- ad);
+ rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad);
if (rc == 0)
return 0;
- netlbl_skbuff_err(skb, rc);
+ if (nlbl_sid != SECINITSID_UNLABELED)
+ netlbl_skbuff_err(skb, rc);
return rc;
}
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel
2007-06-29 15:48 [PATCH] SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel Paul Moore
@ 2007-06-29 18:58 ` James Morris
2007-06-29 19:04 ` Paul Moore
0 siblings, 1 reply; 3+ messages in thread
From: James Morris @ 2007-06-29 18:58 UTC (permalink / raw)
To: Paul Moore; +Cc: selinux
On Fri, 29 Jun 2007, Paul Moore wrote:
> These changes will make NetLabel behave like labeled IPsec where there is an
> access check for both labeled and unlabeled packets as well as providing the
> ability to restrict domains to receiving only labeled packets when NetLabel is
> in use. The changes to the policy are straight forward with the following
> necessary to receive labeled traffic (with SECINITSID_NETMSG defined as
> "netlabel_peer_t"):
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6.git#for-akpm
Please test, as the next mainline merge window could open at any time.
--
James Morris
<jmorris@namei.org>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel
2007-06-29 18:58 ` James Morris
@ 2007-06-29 19:04 ` Paul Moore
0 siblings, 0 replies; 3+ messages in thread
From: Paul Moore @ 2007-06-29 19:04 UTC (permalink / raw)
To: James Morris; +Cc: selinux
On Friday, June 29 2007 2:58:25 pm James Morris wrote:
> On Fri, 29 Jun 2007, Paul Moore wrote:
> > These changes will make NetLabel behave like labeled IPsec where there is
> > an access check for both labeled and unlabeled packets as well as
> > providing the ability to restrict domains to receiving only labeled
> > packets when NetLabel is in use. The changes to the policy are straight
> > forward with the following necessary to receive labeled traffic (with
> > SECINITSID_NETMSG defined as "netlabel_peer_t"):
>
> Applied to
> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6.git#for-a
>kpm
Thanks.
> Please test, as the next mainline merge window could open at any time.
I have been testing this with the associated policy changes for a little while
now and have not seen any regressions. I haven't yet had a chance to verify
the new Reference Policy release that Chris just announced but I plan to at
least boot it once before the end of the day.
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-06-29 19:04 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-06-29 15:48 [PATCH] SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel Paul Moore
2007-06-29 18:58 ` James Morris
2007-06-29 19:04 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.