From: Paul Moore <paul.moore@hp.com>
To: chanson@TrustedCS.com
Cc: refpolicy@oss.tresys.com, selinux@tycho.nsa.gov
Subject: Re: [refpolicy] [PATCH] refpolicy: Add missing network related MLSconstraints
Date: Fri, 13 Feb 2009 15:44:42 -0500 [thread overview]
Message-ID: <200902131544.42460.paul.moore@hp.com> (raw)
In-Reply-To: <170D6ABBBA770349AA49582A86FCED15BA0199@HAVOC.tcs-sec.com>
On Friday 13 February 2009 02:36:17 pm chanson@trustedcs.com wrote:
> Traditionally network objects in a MLS system are not usually subject to
> the usual privilege overrides. I would propose something like the below:
>
> mlsconstrain { netif } { egress ingress }
> ((( l1 dom l2 ) and ( l1 domby h2 )) or
> ( t1 == mlsnetflow ));
> mlsconstrain { node } { recvfrom sendto }
> ((( l1 dom l2 ) and ( l1 domby h2 )) or
> ( t1 == mlsnetflow ));
> mlsconstrain { packet } { forward_in forward_out }
> ((( l1 dom l2 ) and ( l1 domby h2 )) or
> ( t1 == mlsnetflow ));
>
> "mlsnetflow" would be a new attribute useful for special cases like
> unlabeled_t or kernel_t.
Why were network objects not subject to privilege overrides in
legacy/traditional MLS systems?
I ask because I think we are best off keeping the MLS constraints as
consistent as possible. If there is a sound reason for avoiding policy
overrides for just the network controls than perhaps we should consider
"fixing" the rest of the constraints and not just the new ones.
> > -----Original Message-----
> >
> > Add MLS constraints for several network related access
> > controls including the new ingress/egress controls and the
> > older Secmark controls. Based on the following post to the
> > SELinux Reference Policy mailing list:
> >
> > * http://oss.tresys.com/pipermail/refpolicy/2009-February/000579.html
> >
> > Signed-off-by: Paul Moore <paul.moore@hp.com>
> >
> > ---
> > policy/mls | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 51 insertions(+)
> >
> > Index: refpolicy_svn_repo/policy/mls
> > ===================================================================
> > --- refpolicy_svn_repo.orig/policy/mls
> > +++ refpolicy_svn_repo/policy/mls
> > @@ -295,8 +295,59 @@ mlsconstrain { netif node } { tcp_send u
> > # these access vectors have no MLS restrictions # node enforce_dest
> >
> > +#
> > +# MLS policy for the network ingress/egress controls #
> >
> > +# the netif ingress/egress ops, the ingress permission is a "write"
> > +operation # because the subject in this particular case is
> > the remote
> > +domain which is # writing data out the network interface which is
> > +acting as the object mlsconstrain { netif } { ingress }
> > + (( l1 eq l2 ) or
> > + (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and (
> > l1 domby h2 )) or
> > + (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1
> > domby l2 )) or
> > + ( t1 == mlsnetwrite ) or
> > + ( t1 == unlabeled_t ));
> > +mlsconstrain { netif } { egress }
> > + (( l1 eq l2 ) or
> > + (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and (
> > l1 domby h2 )) or
> > + (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1
> > domby l2 )) or
> > + ( t1 == mlsnetwrite ));
> >
> > +# the node recvfrom/sendto ops, the recvfrom permission is a "write"
> > +operation # because the subject in this particular case is
> > the remote
> > +domain which is # writing data out the network node which is
> > acting as
> > +the object mlsconstrain { node } { recvfrom }
> > + (( l1 eq l2 ) or
> > + (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and (
> > l1 domby h2 )) or
> > + (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1
> > domby l2 )) or
> > + ( t1 == mlsnetwrite ) or
> > + ( t1 == unlabeled_t ));
> > +mlsconstrain { node } { sendto }
> > + (( l1 eq l2 ) or
> > + (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and (
> > l1 domby h2 )) or
> > + (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1
> > domby l2 )) or
> > + ( t1 == mlsnetwrite ));
> > +
> > +# the forward ops, the forward_in permission is a "write" operation
> > +because the # subject in this particular case is the remote domain
> > +which is writing data # to the network with a secmark label,
> > the object
> > +in this case mlsconstrain { packet } { forward_in forward_out }
> > + (( l1 eq l2 ) or
> > + (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and (
> > l1 domby h2 )) or
> > + (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1
> > domby l2 )) or
> > + ( t1 == mlsnetwrite ) or
> > + ( t1 == unlabeled_t ));
> > +
> > +#
> > +# MLS policy for the secmark and peer controls #
> > +
> > +# the peer/packet recv op
> > +mlsconstrain { peer packet } { recv }
> > + (( l1 dom l2 ) or
> > + (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
> > + ( t1 == mlsnetread ));
> >
> > #
> > # MLS policy for the process class
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: paul.moore@hp.com (Paul Moore)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] refpolicy: Add missing network related MLSconstraints
Date: Fri, 13 Feb 2009 15:44:42 -0500 [thread overview]
Message-ID: <200902131544.42460.paul.moore@hp.com> (raw)
In-Reply-To: <170D6ABBBA770349AA49582A86FCED15BA0199@HAVOC.tcs-sec.com>
On Friday 13 February 2009 02:36:17 pm chanson at trustedcs.com wrote:
> Traditionally network objects in a MLS system are not usually subject to
> the usual privilege overrides. I would propose something like the below:
>
> mlsconstrain { netif } { egress ingress }
> ((( l1 dom l2 ) and ( l1 domby h2 )) or
> ( t1 == mlsnetflow ));
> mlsconstrain { node } { recvfrom sendto }
> ((( l1 dom l2 ) and ( l1 domby h2 )) or
> ( t1 == mlsnetflow ));
> mlsconstrain { packet } { forward_in forward_out }
> ((( l1 dom l2 ) and ( l1 domby h2 )) or
> ( t1 == mlsnetflow ));
>
> "mlsnetflow" would be a new attribute useful for special cases like
> unlabeled_t or kernel_t.
Why were network objects not subject to privilege overrides in
legacy/traditional MLS systems?
I ask because I think we are best off keeping the MLS constraints as
consistent as possible. If there is a sound reason for avoiding policy
overrides for just the network controls than perhaps we should consider
"fixing" the rest of the constraints and not just the new ones.
> > -----Original Message-----
> >
> > Add MLS constraints for several network related access
> > controls including the new ingress/egress controls and the
> > older Secmark controls. Based on the following post to the
> > SELinux Reference Policy mailing list:
> >
> > * http://oss.tresys.com/pipermail/refpolicy/2009-February/000579.html
> >
> > Signed-off-by: Paul Moore <paul.moore@hp.com>
> >
> > ---
> > policy/mls | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 51 insertions(+)
> >
> > Index: refpolicy_svn_repo/policy/mls
> > ===================================================================
> > --- refpolicy_svn_repo.orig/policy/mls
> > +++ refpolicy_svn_repo/policy/mls
> > @@ -295,8 +295,59 @@ mlsconstrain { netif node } { tcp_send u
> > # these access vectors have no MLS restrictions # node enforce_dest
> >
> > +#
> > +# MLS policy for the network ingress/egress controls #
> >
> > +# the netif ingress/egress ops, the ingress permission is a "write"
> > +operation # because the subject in this particular case is
> > the remote
> > +domain which is # writing data out the network interface which is
> > +acting as the object mlsconstrain { netif } { ingress }
> > + (( l1 eq l2 ) or
> > + (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and (
> > l1 domby h2 )) or
> > + (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1
> > domby l2 )) or
> > + ( t1 == mlsnetwrite ) or
> > + ( t1 == unlabeled_t ));
> > +mlsconstrain { netif } { egress }
> > + (( l1 eq l2 ) or
> > + (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and (
> > l1 domby h2 )) or
> > + (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1
> > domby l2 )) or
> > + ( t1 == mlsnetwrite ));
> >
> > +# the node recvfrom/sendto ops, the recvfrom permission is a "write"
> > +operation # because the subject in this particular case is
> > the remote
> > +domain which is # writing data out the network node which is
> > acting as
> > +the object mlsconstrain { node } { recvfrom }
> > + (( l1 eq l2 ) or
> > + (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and (
> > l1 domby h2 )) or
> > + (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1
> > domby l2 )) or
> > + ( t1 == mlsnetwrite ) or
> > + ( t1 == unlabeled_t ));
> > +mlsconstrain { node } { sendto }
> > + (( l1 eq l2 ) or
> > + (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and (
> > l1 domby h2 )) or
> > + (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1
> > domby l2 )) or
> > + ( t1 == mlsnetwrite ));
> > +
> > +# the forward ops, the forward_in permission is a "write" operation
> > +because the # subject in this particular case is the remote domain
> > +which is writing data # to the network with a secmark label,
> > the object
> > +in this case mlsconstrain { packet } { forward_in forward_out }
> > + (( l1 eq l2 ) or
> > + (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and (
> > l1 domby h2 )) or
> > + (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1
> > domby l2 )) or
> > + ( t1 == mlsnetwrite ) or
> > + ( t1 == unlabeled_t ));
> > +
> > +#
> > +# MLS policy for the secmark and peer controls #
> > +
> > +# the peer/packet recv op
> > +mlsconstrain { peer packet } { recv }
> > + (( l1 dom l2 ) or
> > + (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
> > + ( t1 == mlsnetread ));
> >
> > #
> > # MLS policy for the process class
--
paul moore
linux @ hp
next prev parent reply other threads:[~2009-02-13 20:44 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-12 21:15 [PATCH] refpolicy: Add missing network related MLS constraints Paul Moore
2009-02-12 21:15 ` [refpolicy] " Paul Moore
2009-02-13 19:36 ` [refpolicy] [PATCH] refpolicy: Add missing network related MLSconstraints chanson
2009-02-13 19:36 ` chanson at TrustedCS.com
2009-02-13 20:44 ` Paul Moore [this message]
2009-02-13 20:44 ` Paul Moore
2009-02-13 21:38 ` Glenn Faden
2009-02-13 22:02 ` Paul Moore
2009-02-13 22:02 ` Paul Moore
2009-02-13 22:17 ` chanson
2009-02-13 22:17 ` chanson at TrustedCS.com
2009-02-13 23:17 ` Paul Moore
2009-02-13 23:17 ` Paul Moore
2009-02-13 23:54 ` chanson
2009-02-13 23:54 ` chanson at TrustedCS.com
2009-02-13 22:24 ` Glenn Faden
2009-02-13 23:10 ` Paul Moore
2009-02-14 2:41 ` Casey Schaufler
2009-02-16 15:18 ` chanson
2009-02-16 15:18 ` chanson at TrustedCS.com
2009-02-21 1:37 ` [refpolicy] [PATCH] refpolicy: Add missing network related MLS constraints Joe Nall
2009-02-21 1:37 ` Joe Nall
2009-02-23 17:37 ` Paul Moore
2009-02-23 17:37 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200902131544.42460.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=chanson@TrustedCS.com \
--cc=refpolicy@oss.tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.