From: Paul Moore <paul.moore@hp.com>
To: Eric Paris <eparis@redhat.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
Daniel J Walsh <dwalsh@redhat.com>,
"Daniel P. Berrange" <berrange@redhat.com>,
SELinux <selinux@tycho.nsa.gov>,
Chad Hanson <chanson@TrustedCS.com>
Subject: Re: svirt on MLS has strange AVC.
Date: Fri, 26 Mar 2010 15:47:33 -0400 [thread overview]
Message-ID: <201003261547.33226.paul.moore@hp.com> (raw)
In-Reply-To: <1269610923.2980.51.camel@dhcp231-113.rdu.redhat.com>
On Friday 26 March 2010 09:42:03 am Eric Paris wrote:
> Thanks Paul for laying things out in a dumbed down enough way for me to
> grasp a couple things :) I now understand about 2% of what we are
> trying to accomplish with network checks. Next time I see you in person
> you better be careful because I could use about 25 more of these lessons
> to understand the fun/difficult/other parts of networking code.
:)
> On Thu, 2010-03-25 at 17:36 -0400, Paul Moore wrote:
> > Well, we
> > already have a label assigned to the client's socket and we don't want to
> > change that so we'll leave that alone
>
> Why is this a given? Seems to me there is a fundamental difference
> between a socket before connect() and a socket after connect(). Much
> the same as the (I think agreed upon) fundamental difference between a
> socket before accept() and the 'child' socket we get after accept().
The key different between the client side socket, created with socket() and
connected via connect(), and the server side child socket, created with
accept() is that we don't know the label of the other end when the client
socket is created whereas we know the label of the other end when the server
side child socket is created.
We could _relabel_ the client side socket on connect but that could be ugly
and would likely be frowned upon by the security die-hards. We would probably
also want to limit it to stream sockets as you can't really disconnect them,
although you can disconnect connected datagram sockets.
> My original wish for how things would be labeled does lead to a very,
> ummm, interesting, result. What I wanted to see and thought was the
> most logical was the following:
>
> client process: client_t:s0:c1
> server process: server_t:s0-s15:c0-c1023
>
> both are going to have to create a socket with the socket() call right?
> so we are going to end up with:
>
> client_sock: client_t:s0:c1
> server_sock: server_t:s0-s15:c0-c1023
>
> Now we have calls to connect() and accept() respectively, correct? My
> original thought on how these socks should be labeled was that we should
> now get
>
> client_sock: server_t:s0-s15:c0-c1023
> server_sock: client_t:s0:c1
A point of clarification: I think you mean "server_child_socket" above, not
the original listening server socket.
> Which clearly makes the most sense to everyone in how read/write rules
> from the application to the socket should be written and allowed.
Well, in one direction anyway; I think you are assuming a one way data flow
here. Think about what happens when the client socket receives data from the
server socket? What about when the server socket receives data from the
client socket?
> Each side would need rules like:
>
> allow client_t:s0:c1 server_t:s0-s15:c0-c1023:socket { read write }
> allow server_t:s0-s15:c0-c1023 client_t:s0:c1:socket { read write }
>
> Seems great, but you point out the logical next step which is the rules
> between the sockets themselves which would be reversed (opps, bad news
> for my world of making sense) These checks are against what? packet
> and peer?
Okay, you got the point about bi-directional traffic.
Quick and dirty pseudo-policy example (some of the classes/perms may not be
100%) for app "foo" talking to app "bar" over the network (ignores
ingress/egress and secmark controls):
# let foo_t act as a basic network client for sockets it creates
allow foo_t self:socket { create connect read write }
# let bar_t act as a basic network server for sockets it creates
allow bar_t self:socket { create listen accept read write }
# let bar_t receive network traffic from foo_t
allow bar_t foo_t:peer { recv }
> I guess the solution to this odd reversal of meanings is the old
> question you mentioned before and didn't want to bring up of: is the
> socket the endpoint or is the application the end point? As I was
> around, but ignorant/ignored those discussions, why did we end up this
> way?
Well, this is the way it was when I got here so I can't say for certain but I
believe it comes down to the fact that sockets, like any other file
descriptor, can get passed around from application to application and you want
to be sure that have the right access controls in place to prevent traffic
going somewhere it shouldn't if a socket is passed to an app with a different
label. By enforcing access controls when data is queued to a socket as well
as later when it is read from the socket we can ensure data doesn't go
somewhere it shouldn't.
I think it also makes the implementation on Linux a little easier too :)
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2010-03-26 19:47 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-22 21:44 svirt on MLS has strange AVC Daniel J Walsh
2010-03-22 23:47 ` Eric Paris
2010-03-23 11:35 ` Daniel J Walsh
2010-03-23 11:44 ` Daniel P. Berrange
2010-03-25 2:42 ` Eric Paris
2010-03-25 9:45 ` Daniel P. Berrange
2010-03-25 14:02 ` Stephen Smalley
2010-03-25 16:49 ` Paul Moore
2010-03-25 18:00 ` Daniel J Walsh
2010-03-25 18:17 ` Stephen Smalley
2010-03-25 19:02 ` Eric Paris
2010-03-25 22:06 ` Paul Moore
2010-03-25 22:09 ` Daniel P. Berrange
[not found] ` <1269612002.2980.69.camel@dhcp231-113.rdu.redhat.com>
2010-03-26 19:54 ` Paul Moore
2010-03-29 17:06 ` Eric Paris
2010-03-25 18:06 ` Stephen Smalley
2010-03-25 18:11 ` Daniel J Walsh
2010-03-25 18:19 ` Stephen Smalley
2010-03-25 18:23 ` Eric Paris
2010-03-25 18:34 ` Stephen Smalley
2010-03-25 18:45 ` Eric Paris
2010-03-25 21:36 ` Paul Moore
[not found] ` <1269610923.2980.51.camel@dhcp231-113.rdu.redhat.com>
2010-03-26 19:47 ` Paul Moore [this message]
2010-03-29 18:29 ` Eric Paris
2010-03-29 17:05 ` Eric Paris
2010-03-25 18:29 ` Eric Paris
[not found] ` <201003291600.06024.paul.moore@hp.com>
[not found] ` <4BB20E8D.7030207@redhat.com>
2010-03-30 18:07 ` Paul Moore
2010-03-30 18:20 ` Eric Paris
2010-03-30 18:23 ` Daniel J Walsh
2010-03-30 18:39 ` Paul Moore
2010-03-30 18:56 ` Paul Moore
2010-03-30 19:13 ` Daniel J Walsh
2010-03-30 19:22 ` Paul Moore
2010-03-30 19:31 ` Daniel J Walsh
2010-03-30 19:38 ` Stephen Smalley
[not found] ` <1269959533.2941.9.camel@dhcp235-240.rdu.redhat.com>
2010-03-30 18:23 ` Paul Moore
2010-03-30 19:20 ` Stephen Smalley
2010-03-30 20:17 ` Eric Paris
2010-03-30 20:23 ` Stephen Smalley
2010-03-30 20:30 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201003261547.33226.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=berrange@redhat.com \
--cc=chanson@TrustedCS.com \
--cc=dwalsh@redhat.com \
--cc=eparis@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.