From: Paul Moore <paul.moore@hp.com>
To: selinux@tycho.nsa.gov
Cc: Paul Moore <paul.moore@hp.com>
Subject: [PATCH 1/1] REFPOL: Add new labeled networking permissions
Date: Thu, 22 May 2008 17:32:53 -0400 [thread overview]
Message-ID: <20080522213520.152108259@hp.com> (raw)
In-Reply-To: 20080522213252.557433869@hp.com
The 2.6.25 kernel introduced a new set of labeled networking controls to
SELinux and this patch makes the necessary changes to the Reference Policy to
support unlabeled network traffic with the new controls.
A description of the new/improved labeled networking controls was posted to
the SELinux list back in early January 2008.
* http://marc.info/?l=selinux&m=119991234501200&w=2
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
policy/modules/kernel/corenetwork.if.in | 80 ++++++++++++++++++++------------
policy/modules/kernel/corenetwork.if.m4 | 20 ++++----
policy/modules/kernel/kernel.if | 56 ++++++++++++++++++++++
policy/modules/kernel/kernel.te | 3 +
4 files changed, 119 insertions(+), 40 deletions(-)
Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in
+++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
@@ -154,7 +154,7 @@ interface(`corenet_tcp_sendrecv_generic_
type netif_t;
')
- allow $1 netif_t:netif { tcp_send tcp_recv };
+ allow $1 netif_t:netif { tcp_send tcp_recv egress ingress };
')
########################################
@@ -172,7 +172,7 @@ interface(`corenet_udp_send_generic_if',
type netif_t;
')
- allow $1 netif_t:netif udp_send;
+ allow $1 netif_t:netif { udp_send egress };
')
########################################
@@ -191,7 +191,7 @@ interface(`corenet_dontaudit_udp_send_ge
type netif_t;
')
- dontaudit $1 netif_t:netif udp_send;
+ dontaudit $1 netif_t:netif { udp_send egress };
')
########################################
@@ -209,7 +209,7 @@ interface(`corenet_udp_receive_generic_i
type netif_t;
')
- allow $1 netif_t:netif udp_recv;
+ allow $1 netif_t:netif { udp_recv ingress };
')
########################################
@@ -228,7 +228,7 @@ interface(`corenet_dontaudit_udp_receive
type netif_t;
')
- dontaudit $1 netif_t:netif udp_recv;
+ dontaudit $1 netif_t:netif { udp_recv ingress };
')
########################################
@@ -277,7 +277,7 @@ interface(`corenet_raw_send_generic_if',
type netif_t;
')
- allow $1 netif_t:netif rawip_send;
+ allow $1 netif_t:netif { rawip_send egress };
')
########################################
@@ -295,7 +295,7 @@ interface(`corenet_raw_receive_generic_i
type netif_t;
')
- allow $1 netif_t:netif rawip_recv;
+ allow $1 netif_t:netif { rawip_recv ingress };
')
########################################
@@ -328,7 +328,7 @@ interface(`corenet_tcp_sendrecv_all_if',
attribute netif_type;
')
- allow $1 netif_type:netif { tcp_send tcp_recv };
+ allow $1 netif_type:netif { tcp_send tcp_recv egress ingress };
')
########################################
@@ -346,7 +346,7 @@ interface(`corenet_udp_send_all_if',`
attribute netif_type;
')
- allow $1 netif_type:netif udp_send;
+ allow $1 netif_type:netif { udp_send egress };
')
########################################
@@ -364,7 +364,7 @@ interface(`corenet_udp_receive_all_if',`
attribute netif_type;
')
- allow $1 netif_type:netif udp_recv;
+ allow $1 netif_type:netif { udp_recv ingress };
')
########################################
@@ -397,7 +397,7 @@ interface(`corenet_raw_send_all_if',`
attribute netif_type;
')
- allow $1 netif_type:netif rawip_send;
+ allow $1 netif_type:netif { rawip_send egress };
')
########################################
@@ -415,7 +415,7 @@ interface(`corenet_raw_receive_all_if',`
attribute netif_type;
')
- allow $1 netif_type:netif rawip_recv;
+ allow $1 netif_type:netif { rawip_recv ingress };
')
########################################
@@ -448,7 +448,7 @@ interface(`corenet_tcp_sendrecv_generic_
type node_t;
')
- allow $1 node_t:node { tcp_send tcp_recv };
+ allow $1 node_t:node { tcp_send tcp_recv sendto recvfrom };
')
########################################
@@ -466,7 +466,7 @@ interface(`corenet_udp_send_generic_node
type node_t;
')
- allow $1 node_t:node udp_send;
+ allow $1 node_t:node { udp_send sendto };
')
########################################
@@ -484,7 +484,7 @@ interface(`corenet_udp_receive_generic_n
type node_t;
')
- allow $1 node_t:node udp_recv;
+ allow $1 node_t:node { udp_recv recvfrom };
')
########################################
@@ -517,7 +517,7 @@ interface(`corenet_raw_send_generic_node
type node_t;
')
- allow $1 node_t:node rawip_send;
+ allow $1 node_t:node { rawip_send sendto };
')
########################################
@@ -535,7 +535,7 @@ interface(`corenet_raw_receive_generic_n
type node_t;
')
- allow $1 node_t:node rawip_recv;
+ allow $1 node_t:node { rawip_recv recvfrom };
')
########################################
@@ -604,7 +604,7 @@ interface(`corenet_tcp_sendrecv_all_node
attribute node_type;
')
- allow $1 node_type:node { tcp_send tcp_recv };
+ allow $1 node_type:node { tcp_send tcp_recv sendto recvfrom };
')
########################################
@@ -622,7 +622,7 @@ interface(`corenet_udp_send_all_nodes',`
attribute node_type;
')
- allow $1 node_type:node udp_send;
+ allow $1 node_type:node { udp_send sendto };
')
########################################
@@ -641,7 +641,7 @@ interface(`corenet_dontaudit_udp_send_al
attribute node_type;
')
- dontaudit $1 node_type:node udp_send;
+ dontaudit $1 node_type:node { udp_send sendto };
')
########################################
@@ -659,7 +659,7 @@ interface(`corenet_udp_receive_all_nodes
attribute node_type;
')
- allow $1 node_type:node udp_recv;
+ allow $1 node_type:node { udp_recv recvfrom };
')
########################################
@@ -678,7 +678,7 @@ interface(`corenet_dontaudit_udp_receive
attribute node_type;
')
- dontaudit $1 node_type:node udp_recv;
+ dontaudit $1 node_type:node { udp_recv recvfrom };
')
########################################
@@ -727,7 +727,7 @@ interface(`corenet_raw_send_all_nodes',`
attribute node_type;
')
- allow $1 node_type:node rawip_send;
+ allow $1 node_type:node { rawip_send sendto };
')
########################################
@@ -745,7 +745,7 @@ interface(`corenet_raw_receive_all_nodes
attribute node_type;
')
- allow $1 node_type:node rawip_recv;
+ allow $1 node_type:node { rawip_recv recvfrom };
')
########################################
@@ -1737,6 +1737,7 @@ interface(`corenet_tcp_recvfrom_netlabel
type netlabel_peer_t;
')
+ allow $1 netlabel_peer_t:peer recv;
allow $1 netlabel_peer_t:tcp_socket recvfrom;
')
@@ -1752,6 +1753,7 @@ interface(`corenet_tcp_recvfrom_netlabel
#
interface(`corenet_tcp_recvfrom_unlabeled',`
kernel_tcp_recvfrom_unlabeled($1)
+ kernel_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
@@ -1791,6 +1793,7 @@ interface(`corenet_dontaudit_tcp_recvfro
type netlabel_peer_t;
')
+ dontaudit $1 netlabel_peer_t:peer recv;
dontaudit $1 netlabel_peer_t:tcp_socket recvfrom;
')
@@ -1807,6 +1810,7 @@ interface(`corenet_dontaudit_tcp_recvfro
#
interface(`corenet_dontaudit_tcp_recvfrom_unlabeled',`
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+ kernel_dontaudit_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
@@ -1844,6 +1848,7 @@ interface(`corenet_udp_recvfrom_netlabel
type netlabel_peer_t;
')
+ allow $1 netlabel_peer_t:peer recv;
allow $1 netlabel_peer_t:udp_socket recvfrom;
')
@@ -1859,6 +1864,7 @@ interface(`corenet_udp_recvfrom_netlabel
#
interface(`corenet_udp_recvfrom_unlabeled',`
kernel_udp_recvfrom_unlabeled($1)
+ kernel_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
@@ -1898,6 +1904,7 @@ interface(`corenet_dontaudit_udp_recvfro
type netlabel_peer_t;
')
+ dontaudit $1 netlabel_peer_t:peer recv;
dontaudit $1 netlabel_peer_t:udp_socket recvfrom;
')
@@ -1914,6 +1921,7 @@ interface(`corenet_dontaudit_udp_recvfro
#
interface(`corenet_dontaudit_udp_recvfrom_unlabeled',`
kernel_dontaudit_udp_recvfrom_unlabeled($1)
+ kernel_dontaudit_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
@@ -1951,6 +1959,7 @@ interface(`corenet_raw_recvfrom_netlabel
type netlabel_peer_t;
')
+ allow $1 netlabel_peer_t:peer recv;
allow $1 netlabel_peer_t:rawip_socket recvfrom;
')
@@ -1966,6 +1975,7 @@ interface(`corenet_raw_recvfrom_netlabel
#
interface(`corenet_raw_recvfrom_unlabeled',`
kernel_raw_recvfrom_unlabeled($1)
+ kernel_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
@@ -2005,6 +2015,7 @@ interface(`corenet_dontaudit_raw_recvfro
type netlabel_peer_t;
')
+ dontaudit $1 netlabel_peer_t:peer recv;
dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
')
@@ -2021,6 +2032,7 @@ interface(`corenet_dontaudit_raw_recvfro
#
interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
kernel_dontaudit_raw_recvfrom_unlabeled($1)
+ kernel_dontaudit_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
@@ -2042,6 +2054,7 @@ interface(`corenet_all_recvfrom_unlabele
kernel_tcp_recvfrom_unlabeled($1)
kernel_udp_recvfrom_unlabeled($1)
kernel_raw_recvfrom_unlabeled($1)
+ kernel_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
@@ -2064,6 +2077,7 @@ interface(`corenet_all_recvfrom_netlabel
type netlabel_peer_t;
')
+ allow $1 netlabel_peer_t:peer recv;
allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
')
@@ -2081,6 +2095,7 @@ interface(`corenet_dontaudit_all_recvfro
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
kernel_dontaudit_udp_recvfrom_unlabeled($1)
kernel_dontaudit_raw_recvfrom_unlabeled($1)
+ kernel_dontaudit_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
@@ -2104,6 +2119,7 @@ interface(`corenet_dontaudit_all_recvfro
type netlabel_peer_t;
')
+ dontaudit $1 netlabel_peer_t:peer recv;
dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
')
@@ -2135,8 +2151,10 @@ interface(`corenet_tcp_recvfrom_labeled'
allow $1 $2:{ association tcp_socket } recvfrom;
allow $2 $1:{ association tcp_socket } recvfrom;
- # Netlabel (CIPSO)-based labeled networking
- # currently only supports MLS portion of label
+ allow $1 $2:peer recv;
+ allow $2 $1:peer recv;
+
+ # allow receiving packets from MLS-only peers using NetLabel
corenet_tcp_recvfrom_netlabel($1)
corenet_tcp_recvfrom_netlabel($2)
')
@@ -2160,8 +2178,9 @@ interface(`corenet_udp_recvfrom_labeled'
allow $2 self:association sendto;
allow $1 $2:{ association udp_socket } recvfrom;
- # Netlabel (CIPSO)-based labeled networking
- # currently only supports MLS portion of label
+ allow $1 $2:peer recv;
+
+ # allow receiving packets from MLS-only peers using NetLabel
corenet_udp_recvfrom_netlabel($1)
')
@@ -2184,8 +2203,9 @@ interface(`corenet_raw_recvfrom_labeled'
allow $2 self:association sendto;
allow $1 $2:{ association rawip_socket } recvfrom;
- # Netlabel (CIPSO)-based labeled networking
- # currently only supports MLS portion of label
+ allow $1 $2:peer recv;
+
+ # allow receiving packets from MLS-only peers using NetLabel
corenet_raw_recvfrom_netlabel($1)
')
Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.m4
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.m4
+++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.m4
@@ -28,7 +28,7 @@ interface(`corenet_tcp_sendrecv_$1_if',`
$3 $1_$2;
')
- allow dollarsone $1_$2:netif { tcp_send tcp_recv };
+ allow dollarsone $1_$2:netif { tcp_send tcp_recv egress ingress };
')
########################################
@@ -47,7 +47,7 @@ interface(`corenet_udp_send_$1_if',`
$3 $1_$2;
')
- allow dollarsone $1_$2:netif udp_send;
+ allow dollarsone $1_$2:netif { udp_send egress };
')
########################################
@@ -66,7 +66,7 @@ interface(`corenet_udp_receive_$1_if',`
$3 $1_$2;
')
- allow dollarsone $1_$2:netif udp_recv;
+ allow dollarsone $1_$2:netif { udp_recv ingress };
')
########################################
@@ -101,7 +101,7 @@ interface(`corenet_raw_send_$1_if',`
$3 $1_$2;
')
- allow dollarsone $1_$2:netif rawip_send;
+ allow dollarsone $1_$2:netif { rawip_send egress };
')
########################################
@@ -120,7 +120,7 @@ interface(`corenet_raw_receive_$1_if',`
$3 $1_$2;
')
- allow dollarsone $1_$2:netif rawip_recv;
+ allow dollarsone $1_$2:netif { rawip_recv ingress };
')
########################################
@@ -163,7 +163,7 @@ interface(`corenet_tcp_sendrecv_$1_node'
$3 $1_$2;
')
- allow dollarsone $1_$2:node { tcp_send tcp_recv };
+ allow dollarsone $1_$2:node { tcp_send tcp_recv sendto recvfrom };
')
########################################
@@ -182,7 +182,7 @@ interface(`corenet_udp_send_$1_node',`
$3 $1_$2;
')
- allow dollarsone $1_$2:node udp_send;
+ allow dollarsone $1_$2:node { udp_send sendto };
')
########################################
@@ -201,7 +201,7 @@ interface(`corenet_udp_receive_$1_node',
$3 $1_$2;
')
- allow dollarsone $1_$2:node udp_recv;
+ allow dollarsone $1_$2:node { udp_recv recvfrom };
')
########################################
@@ -236,7 +236,7 @@ interface(`corenet_raw_send_$1_node',`
$3 $1_$2;
')
- allow dollarsone $1_$2:node rawip_send;
+ allow dollarsone $1_$2:node { rawip_send sendto };
')
########################################
@@ -255,7 +255,7 @@ interface(`corenet_raw_receive_$1_node',
$3 $1_$2;
')
- allow dollarsone $1_$2:node rawip_recv;
+ allow dollarsone $1_$2:node { rawip_recv recvfrom };
')
########################################
Index: refpolicy_svn_repo/policy/modules/kernel/kernel.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.if
+++ refpolicy_svn_repo/policy/modules/kernel/kernel.if
@@ -2497,6 +2497,62 @@ interface(`kernel_sendrecv_unlabeled_pac
########################################
## <summary>
+## Receive packets from an unlabeled peer.
+## </summary>
+## <desc>
+## <p>
+## Receive packets from an unlabeled peer, these packets do not have any
+## peer labeling information present.
+## </p>
+## <p>
+## The corenetwork interface corenet_recvfrom_unlabeled_peer() should
+## be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_recvfrom_unlabeled_peer',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:peer recv;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive packets from an unlabeled peer.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to receive packets from an unlabeled peer,
+## these packets do not have any peer labeling information present.
+## </p>
+## <p>
+## The corenetwork interface corenet_dontaudit_*_recvfrom_unlabeled()
+## should be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_recvfrom_unlabeled_peer',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:peer recv;
+')
+
+########################################
+## <summary>
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
Index: refpolicy_svn_repo/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.te
+++ refpolicy_svn_repo/policy/modules/kernel/kernel.te
@@ -212,6 +212,9 @@ allow kernel_t unlabeled_t:dir mounton;
# connections with invalidated labels:
allow kernel_t unlabeled_t:packet send;
+# Forwarded traffic
+allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+
corenet_all_recvfrom_unlabeled(kernel_t)
corenet_all_recvfrom_netlabel(kernel_t)
# Kernel-generated traffic e.g., ICMP replies:
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-05-22 21:35 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-22 21:32 [PATCH 0/1] Latest network peer labeling patch Paul Moore
2008-05-22 21:32 ` Paul Moore [this message]
2008-05-26 18:27 ` [PATCH 1/1] REFPOL: Add new labeled networking permissions Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080522213520.152108259@hp.com \
--to=paul.moore@hp.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.