From: Paul Moore <paul.moore@hp.com>
To: "Christopher J. PeBenito" <cpebenito@tresys.com>
Cc: selinux@tycho.nsa.gov
Subject: Re: [PATCH 4/4] REFPOL: Add new labeled networking permissions
Date: Wed, 13 Feb 2008 22:54:14 -0500 [thread overview]
Message-ID: <200802132254.14625.paul.moore@hp.com> (raw)
In-Reply-To: <1202827199.30706.10.camel@gorn>
On Tuesday 12 February 2008 9:39:59 am Christopher J. PeBenito wrote:
> On Fri, 2008-02-08 at 16:25 -0500, paul.moore@hp.com wrote:
> > plain text document attachment (refpol-peer_perms)
> > The 2.6.25 kernel will introduce a new set of labeled networking controls
> > to SELinux and this patch makes the necessary changes to the Reference
> > Policy to support unlabeled network traffic with the new controls.
>
> The corenetwork part is missing changes in the cornetwork.if.m4 file.
> Thats where the interfaces generated by a network_(node|interface)() are
> generated.
Okay, I'll look into fixing that part up.
> I'm not so sure about the kernel interface changes. The docs probably
> should be revised, its more about using sockets whose types have been
> invalidated. It doesn't have anything to do with unlabeled networking.
Hmmm, okay. Do you have a suggestion for how to add these new allow rules? A
new interface? I would need to go check again, but these seemed to be the
most logical of the existing interfaces when I made the change (and I suspect
not much has changed in this area).
> > A description of the new/improved labeled networking controls was posted
> > to the SELinux list back in early January 2008.
> >
> > * http://marc.info/?l=selinux&m=119991234501200&w=2
> >
> > ---
> > policy/modules/kernel/corenetwork.if.in | 24 ++++++++++++------------
> > policy/modules/kernel/kernel.if | 6 ++++++
> > policy/modules/kernel/kernel.te | 3 +++
> > 3 files changed, 21 insertions(+), 12 deletions(-)
> >
> > Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
> > ===================================================================
> > --- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in
> > +++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
> > @@ -154,7 +154,7 @@ interface(`corenet_tcp_sendrecv_generic_
> > type netif_t;
> > ')
> >
> > - allow $1 netif_t:netif { tcp_send tcp_recv };
> > + allow $1 netif_t:netif { tcp_send tcp_recv egress ingress };
> > ')
> >
> > ########################################
> > @@ -172,7 +172,7 @@ interface(`corenet_udp_send_generic_if',
> > type netif_t;
> > ')
> >
> > - allow $1 netif_t:netif udp_send;
> > + allow $1 netif_t:netif { udp_send egress };
> > ')
> >
> > ########################################
> > @@ -191,7 +191,7 @@ interface(`corenet_dontaudit_udp_send_ge
> > type netif_t;
> > ')
> >
> > - dontaudit $1 netif_t:netif udp_send;
> > + dontaudit $1 netif_t:netif { udp_send egress };
> > ')
> >
> > ########################################
> > @@ -209,7 +209,7 @@ interface(`corenet_udp_receive_generic_i
> > type netif_t;
> > ')
> >
> > - allow $1 netif_t:netif udp_recv;
> > + allow $1 netif_t:netif { udp_recv ingress };
> > ')
> >
> > ########################################
> > @@ -228,7 +228,7 @@ interface(`corenet_dontaudit_udp_receive
> > type netif_t;
> > ')
> >
> > - dontaudit $1 netif_t:netif udp_recv;
> > + dontaudit $1 netif_t:netif { udp_recv ingress };
> > ')
> >
> > ########################################
> > @@ -277,7 +277,7 @@ interface(`corenet_raw_send_generic_if',
> > type netif_t;
> > ')
> >
> > - allow $1 netif_t:netif rawip_send;
> > + allow $1 netif_t:netif { rawip_send egress };
> > ')
> >
> > ########################################
> > @@ -295,7 +295,7 @@ interface(`corenet_raw_receive_generic_i
> > type netif_t;
> > ')
> >
> > - allow $1 netif_t:netif rawip_recv;
> > + allow $1 netif_t:netif { rawip_recv ingress };
> > ')
> >
> > ########################################
> > @@ -448,7 +448,7 @@ interface(`corenet_tcp_sendrecv_generic_
> > type node_t;
> > ')
> >
> > - allow $1 node_t:node { tcp_send tcp_recv };
> > + allow $1 node_t:node { tcp_send tcp_recv sendto recvfrom };
> > ')
> >
> > ########################################
> > @@ -466,7 +466,7 @@ interface(`corenet_udp_send_generic_node
> > type node_t;
> > ')
> >
> > - allow $1 node_t:node udp_send;
> > + allow $1 node_t:node { udp_send sendto };
> > ')
> >
> > ########################################
> > @@ -484,7 +484,7 @@ interface(`corenet_udp_receive_generic_n
> > type node_t;
> > ')
> >
> > - allow $1 node_t:node udp_recv;
> > + allow $1 node_t:node { udp_recv recvfrom };
> > ')
> >
> > ########################################
> > @@ -517,7 +517,7 @@ interface(`corenet_raw_send_generic_node
> > type node_t;
> > ')
> >
> > - allow $1 node_t:node rawip_send;
> > + allow $1 node_t:node { rawip_send sendto };
> > ')
> >
> > ########################################
> > @@ -535,7 +535,7 @@ interface(`corenet_raw_receive_generic_n
> > type node_t;
> > ')
> >
> > - allow $1 node_t:node rawip_recv;
> > + allow $1 node_t:node { rawip_recv recvfrom };
> > ')
> >
> > ########################################
> > Index: refpolicy_svn_repo/policy/modules/kernel/kernel.if
> > ===================================================================
> > --- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.if
> > +++ refpolicy_svn_repo/policy/modules/kernel/kernel.if
> > @@ -2314,6 +2314,7 @@ interface(`kernel_tcp_recvfrom_unlabeled
> > type unlabeled_t;
> > ')
> >
> > + allow $1 unlabeled_t:peer recv;
> > allow $1 unlabeled_t:tcp_socket recvfrom;
> > ')
> >
> > @@ -2343,6 +2344,7 @@ interface(`kernel_dontaudit_tcp_recvfrom
> > type unlabeled_t;
> > ')
> >
> > + dontaudit $1 unlabeled_t:peer recv;
> > dontaudit $1 unlabeled_t:tcp_socket recvfrom;
> > ')
> >
> > @@ -2370,6 +2372,7 @@ interface(`kernel_udp_recvfrom_unlabeled
> > type unlabeled_t;
> > ')
> >
> > + allow $1 unlabeled_t:peer recv;
> > allow $1 unlabeled_t:udp_socket recvfrom;
> > ')
> >
> > @@ -2399,6 +2402,7 @@ interface(`kernel_dontaudit_udp_recvfrom
> > type unlabeled_t;
> > ')
> >
> > + dontaudit $1 unlabeled_t:peer recv;
> > dontaudit $1 unlabeled_t:udp_socket recvfrom;
> > ')
> >
> > @@ -2426,6 +2430,7 @@ interface(`kernel_raw_recvfrom_unlabeled
> > type unlabeled_t;
> > ')
> >
> > + allow $1 unlabeled_t:peer recv;
> > allow $1 unlabeled_t:rawip_socket recvfrom;
> > ')
> >
> > @@ -2455,6 +2460,7 @@ interface(`kernel_dontaudit_raw_recvfrom
> > type unlabeled_t;
> > ')
> >
> > + dontaudit $1 unlabeled_t:peer recv;
> > dontaudit $1 unlabeled_t:rawip_socket recvfrom;
> > ')
> >
> > Index: refpolicy_svn_repo/policy/modules/kernel/kernel.te
> > ===================================================================
> > --- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.te
> > +++ refpolicy_svn_repo/policy/modules/kernel/kernel.te
> > @@ -212,6 +212,9 @@ allow kernel_t unlabeled_t:dir mounton;
> > # connections with invalidated labels:
> > allow kernel_t unlabeled_t:packet send;
> >
> > +# Forwarded traffic
> > +allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
> > +
> > corenet_all_recvfrom_unlabeled(kernel_t)
> > corenet_all_recvfrom_netlabel(kernel_t)
> > # Kernel-generated traffic e.g., ICMP replies:
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-02-14 3:54 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-08 21:25 [PATCH 0/4] Reference Policy patches for the new labeled networking code in 2.6.25 paul.moore
2008-02-08 21:25 ` [PATCH 1/4] REFPOL: Add "rogue" Fedora packet class permissions paul.moore
2008-02-12 14:35 ` Christopher J. PeBenito
2008-02-08 21:25 ` [PATCH 2/4] REFPOL: Add forwarding permissions to the packet object class paul.moore
2008-02-12 14:36 ` Christopher J. PeBenito
2008-02-08 21:25 ` [PATCH 3/4] REFPOL: Remove the unlabeled_t SECMARK policy in kernel_sendrecv_unlabeled_association paul.moore
2008-02-12 14:37 ` Christopher J. PeBenito
2008-02-14 3:50 ` Paul Moore
2008-02-08 21:25 ` [PATCH 4/4] REFPOL: Add new labeled networking permissions paul.moore
2008-02-12 14:39 ` Christopher J. PeBenito
2008-02-14 3:54 ` Paul Moore [this message]
2008-02-14 14:36 ` Christopher J. PeBenito
2008-02-14 15:26 ` Paul Moore
2008-02-19 17:12 ` Paul Moore
2008-02-19 18:07 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200802132254.14625.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=cpebenito@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.