[PATCH FOR REFERENCE ONLY] MLSXFRM-v02: Add support to serefpolicy

[PATCH FOR REFERENCE ONLY] MLSXFRM-v02: Add support to serefpolicy

[Venkat Yekkirala]

This patch has been included here just for reference for anyone wanting to
try the patchset in enforcing mode. It will be submitted to the serefpolicy
list later.

This patch adds a polmatch avperm to arbitrate flow/state's access to
a xfrm policy. It also defines MLS policy for association { sendto,
recvfrom, polmatch }.

NOTE: When an inbound packet is not using an IPSec SA, a check is performed
between the socket label and the unlabeled sid (SYSTEM_HIGH MLS label). For
MLS purposes however, the target of the check should be the MLS label taken
from the node sid (or secmark in the new secmark world). This would present
a severe performance overhead (to make a new sid based on the unlabeled sid
with the MLS taken from the node sid or secmark and then using this sid as
the target). Pending reconciliation of the netlabel, ipsec and iptables contexts,
I have chosen to currently make an exception for unlabeled_t SAs if TE policy
allowed it. A similar problem exists for the outbound case and it has been similarly
handled in the policy below (by making an exception for unlabeled_t).

The mlsconstrains are from myself and the rest (sample/basic pieces to get
communication going without or with unlabeled IPSec) are from Joy Latten at IBM
(latten@austin.ibm.com).

diff -urpN serefpolicy-2.2.47.orig/policy/flask/access_vectors serefpolicy-2.2.47.diff/policy/flask/access_vectors
--- serefpolicy-2.2.47.orig/policy/flask/access_vectors	2006-07-11 05:15:39.000000000 -0500
+++ serefpolicy-2.2.47.diff/policy/flask/access_vectors	2006-07-11 07:43:37.000000000 -0500
@@ -602,6 +602,7 @@ class association
 	sendto
 	recvfrom
 	setcontext
+	polmatch
 }
 
 # Updated Netlink class for KOBJECT_UEVENT family.
diff -urpN serefpolicy-2.2.47.orig/policy/mls serefpolicy-2.2.47.diff/policy/mls
--- serefpolicy-2.2.47.orig/policy/mls	2006-07-11 05:15:39.000000000 -0500
+++ serefpolicy-2.2.47.diff/policy/mls	2006-07-11 07:44:23.000000000 -0500
@@ -671,4 +671,18 @@ mlsconstrain xinput { setattr relabelinp
 # these access vectors have no MLS restrictions
 # association *
 
+mlsconstrain association { recvfrom }
+        ((( l1 dom l2 ) and ( l1 domby h2 )) or
+         (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+         ( t1 == mlsnetread ) or
+         ( t2 == unlabeled_t ));
+
+mlsconstrain association { sendto }
+        ((( l1 dom l2 ) and ( l1 domby h2 )) or
+         ( t2 == unlabeled_t ));
+
+mlsconstrain association { polmatch }
+         ((( l1 dom l2 ) and ( h1 domby h2 )) or
+          ( t2 == unlabeled_t));
+
 ') dnl end enable_mls
diff -urpN serefpolicy-2.2.47.orig/policy/modules/kernel/kernel.if serefpolicy-2.2.47.diff/policy/modules/kernel/kernel.if
--- serefpolicy-2.2.47.orig/policy/modules/kernel/kernel.if	2006-07-11 05:15:39.000000000 -0500
+++ serefpolicy-2.2.47.diff/policy/modules/kernel/kernel.if	2006-07-14 04:29:32.000000000 -0500
@@ -2134,3 +2134,11 @@ interface(`kernel_dontaudit_list_all_pro
 	dontaudit $1 proc_type:dir list_dir_perms;
 	dontaudit $1 proc_type:file getattr;
 ')
+
+interface(`kernel_read_unlabeled_tcpsocket',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:tcp_socket { read write shutdown };
+')
diff -urpN serefpolicy-2.2.47.orig/policy/modules/kernel/kernel.te serefpolicy-2.2.47.diff/policy/modules/kernel/kernel.te
--- serefpolicy-2.2.47.orig/policy/modules/kernel/kernel.te	2006-07-11 05:15:39.000000000 -0500
+++ serefpolicy-2.2.47.diff/policy/modules/kernel/kernel.te	2006-07-14 04:28:18.000000000 -0500
@@ -332,6 +332,11 @@ optional_policy(`
 ifdef(`targeted_policy',`
 	allow unlabeled_t self:filesystem associate;
 ')
+# Joy
+allow unlabeled_t self:association *;
+corenet_tcp_sendrecv_generic_if(unlabeled_t)
+corenet_tcp_sendrecv_generic_node(unlabeled_t)
+corenet_tcp_sendrecv_generic_port(unlabeled_t)
 
 optional_policy(`
 	# If you load a new policy that removes active domains, processes can
diff -urpN serefpolicy-2.2.47.orig/policy/modules/system/unconfined.te serefpolicy-2.2.47.diff/policy/modules/system/unconfined.te
--- serefpolicy-2.2.47.orig/policy/modules/system/unconfined.te	2006-07-11 05:15:39.000000000 -0500
+++ serefpolicy-2.2.47.diff/policy/modules/system/unconfined.te	2006-07-14 04:32:33.000000000 -0500
@@ -29,6 +29,8 @@ unconfined_domain(unconfined_t)
 
 logging_send_syslog_msg(unconfined_t)
 
+kernel_read_unlabeled_tcpsocket(unconfined_t)
+
 ifdef(`targeted_policy',`
 	allow unconfined_t self:system syslog_read;
 	dontaudit unconfined_t self:capability sys_module;


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH FOR REFERENCE ONLY] MLSXFRM-v02: Add support to serefpolicy

[Venkat Yekkirala]

This patch has been included here just for reference for anyone wanting to
try the patchset in enforcing mode. It will be submitted to the serefpolicy
list later.

This patch adds a polmatch avperm to arbitrate flow/state's access to
a xfrm policy. It also defines MLS policy for association { sendto,
recvfrom, polmatch }.

NOTE: When an inbound packet is not using an IPSec SA, a check is performed
between the socket label and the unlabeled sid (SYSTEM_HIGH MLS label). For
MLS purposes however, the target of the check should be the MLS label taken
from the node sid (or secmark in the new secmark world). This would present
a severe performance overhead (to make a new sid based on the unlabeled sid
with the MLS taken from the node sid or secmark and then using this sid as
the target). Pending reconciliation of the netlabel, ipsec and iptables contexts,
I have chosen to currently make an exception for unlabeled_t SAs if TE policy
allowed it. A similar problem exists for the outbound case and it has been similarly
handled in the policy below (by making an exception for unlabeled_t).

The mlsconstrains are from myself and the rest (sample/basic pieces to get
communication going without or with unlabeled IPSec) are from Joy Latten at IBM
(latten@austin.ibm.com).

diff -urpN serefpolicy-2.2.47.orig/policy/flask/access_vectors serefpolicy-2.2.47.diff/policy/flask/access_vectors
--- serefpolicy-2.2.47.orig/policy/flask/access_vectors	2006-07-11 05:15:39.000000000 -0500
+++ serefpolicy-2.2.47.diff/policy/flask/access_vectors	2006-07-11 07:43:37.000000000 -0500
@@ -602,6 +602,7 @@ class association
 	sendto
 	recvfrom
 	setcontext
+	polmatch
 }
 
 # Updated Netlink class for KOBJECT_UEVENT family.
diff -urpN serefpolicy-2.2.47.orig/policy/mls serefpolicy-2.2.47.diff/policy/mls
--- serefpolicy-2.2.47.orig/policy/mls	2006-07-11 05:15:39.000000000 -0500
+++ serefpolicy-2.2.47.diff/policy/mls	2006-07-11 07:44:23.000000000 -0500
@@ -671,4 +671,18 @@ mlsconstrain xinput { setattr relabelinp
 # these access vectors have no MLS restrictions
 # association *
 
+mlsconstrain association { recvfrom }
+        ((( l1 dom l2 ) and ( l1 domby h2 )) or
+         (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+         ( t1 == mlsnetread ) or
+         ( t2 == unlabeled_t ));
+
+mlsconstrain association { sendto }
+        ((( l1 dom l2 ) and ( l1 domby h2 )) or
+         ( t2 == unlabeled_t ));
+
+mlsconstrain association { polmatch }
+         ((( l1 dom l2 ) and ( h1 domby h2 )) or
+          ( t2 == unlabeled_t));
+
 ') dnl end enable_mls
diff -urpN serefpolicy-2.2.47.orig/policy/modules/kernel/kernel.if serefpolicy-2.2.47.diff/policy/modules/kernel/kernel.if
--- serefpolicy-2.2.47.orig/policy/modules/kernel/kernel.if	2006-07-11 05:15:39.000000000 -0500
+++ serefpolicy-2.2.47.diff/policy/modules/kernel/kernel.if	2006-07-14 04:29:32.000000000 -0500
@@ -2134,3 +2134,11 @@ interface(`kernel_dontaudit_list_all_pro
 	dontaudit $1 proc_type:dir list_dir_perms;
 	dontaudit $1 proc_type:file getattr;
 ')
+
+interface(`kernel_read_unlabeled_tcpsocket',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:tcp_socket { read write shutdown };
+')
diff -urpN serefpolicy-2.2.47.orig/policy/modules/kernel/kernel.te serefpolicy-2.2.47.diff/policy/modules/kernel/kernel.te
--- serefpolicy-2.2.47.orig/policy/modules/kernel/kernel.te	2006-07-11 05:15:39.000000000 -0500
+++ serefpolicy-2.2.47.diff/policy/modules/kernel/kernel.te	2006-07-14 04:28:18.000000000 -0500
@@ -332,6 +332,11 @@ optional_policy(`
 ifdef(`targeted_policy',`
 	allow unlabeled_t self:filesystem associate;
 ')
+# Joy
+allow unlabeled_t self:association *;
+corenet_tcp_sendrecv_generic_if(unlabeled_t)
+corenet_tcp_sendrecv_generic_node(unlabeled_t)
+corenet_tcp_sendrecv_generic_port(unlabeled_t)
 
 optional_policy(`
 	# If you load a new policy that removes active domains, processes can
diff -urpN serefpolicy-2.2.47.orig/policy/modules/system/unconfined.te serefpolicy-2.2.47.diff/policy/modules/system/unconfined.te
--- serefpolicy-2.2.47.orig/policy/modules/system/unconfined.te	2006-07-11 05:15:39.000000000 -0500
+++ serefpolicy-2.2.47.diff/policy/modules/system/unconfined.te	2006-07-14 04:32:33.000000000 -0500
@@ -29,6 +29,8 @@ unconfined_domain(unconfined_t)
 
 logging_send_syslog_msg(unconfined_t)
 
+kernel_read_unlabeled_tcpsocket(unconfined_t)
+
 ifdef(`targeted_policy',`
 	allow unconfined_t self:system syslog_read;
 	dontaudit unconfined_t self:capability sys_module;

Re: [PATCH FOR REFERENCE ONLY] MLSXFRM-v02: Add support to serefpolicy

[Stephen Smalley]

On Tue, 2006-07-18 at 12:25 -0500, Venkat Yekkirala wrote:
> This patch has been included here just for reference for anyone wanting to
> try the patchset in enforcing mode. It will be submitted to the serefpolicy
> list later.
> 
> This patch adds a polmatch avperm to arbitrate flow/state's access to
> a xfrm policy. It also defines MLS policy for association { sendto,
> recvfrom, polmatch }.
> 
> NOTE: When an inbound packet is not using an IPSec SA, a check is performed
> between the socket label and the unlabeled sid (SYSTEM_HIGH MLS label). For
> MLS purposes however, the target of the check should be the MLS label taken
> from the node sid (or secmark in the new secmark world). This would present
> a severe performance overhead (to make a new sid based on the unlabeled sid
> with the MLS taken from the node sid or secmark and then using this sid as
> the target). Pending reconciliation of the netlabel, ipsec and iptables contexts,
> I have chosen to currently make an exception for unlabeled_t SAs if TE policy
> allowed it. A similar problem exists for the outbound case and it has been similarly
> handled in the policy below (by making an exception for unlabeled_t).
> 
> The mlsconstrains are from myself and the rest (sample/basic pieces to get
> communication going without or with unlabeled IPSec) are from Joy Latten at IBM
> (latten@austin.ibm.com).
> 
> diff -urpN serefpolicy-2.2.47.orig/policy/flask/access_vectors serefpolicy-2.2.47.diff/policy/flask/access_vectors
> --- serefpolicy-2.2.47.orig/policy/flask/access_vectors	2006-07-11 05:15:39.000000000 -0500
> +++ serefpolicy-2.2.47.diff/policy/flask/access_vectors	2006-07-11 07:43:37.000000000 -0500
> @@ -602,6 +602,7 @@ class association
>  	sendto
>  	recvfrom
>  	setcontext
> +	polmatch
>  }
>  
>  # Updated Netlink class for KOBJECT_UEVENT family.

I still don't see polmatch permission in the upstream reference policy.
Not even a definition, much less sufficient rules to allow it when
needed.  So 2.6.19 or the 2.6.18 kernel with the back ported patch can't
possibly work right now for labeled networking via IPSEC, right?

> diff -urpN serefpolicy-2.2.47.orig/policy/mls serefpolicy-2.2.47.diff/policy/mls
> --- serefpolicy-2.2.47.orig/policy/mls	2006-07-11 05:15:39.000000000 -0500
> +++ serefpolicy-2.2.47.diff/policy/mls	2006-07-11 07:44:23.000000000 -0500
> @@ -671,4 +671,18 @@ mlsconstrain xinput { setattr relabelinp
>  # these access vectors have no MLS restrictions
>  # association *
>  
> +mlsconstrain association { recvfrom }
> +        ((( l1 dom l2 ) and ( l1 domby h2 )) or
> +         (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
> +         ( t1 == mlsnetread ) or
> +         ( t2 == unlabeled_t ));
> +
> +mlsconstrain association { sendto }
> +        ((( l1 dom l2 ) and ( l1 domby h2 )) or
> +         ( t2 == unlabeled_t ));
> +
> +mlsconstrain association { polmatch }
> +         ((( l1 dom l2 ) and ( h1 domby h2 )) or
> +          ( t2 == unlabeled_t));
> +
>  ') dnl end enable_mls
> diff -urpN serefpolicy-2.2.47.orig/policy/modules/kernel/kernel.if serefpolicy-2.2.47.diff/policy/modules/kernel/kernel.if
> --- serefpolicy-2.2.47.orig/policy/modules/kernel/kernel.if	2006-07-11 05:15:39.000000000 -0500
> +++ serefpolicy-2.2.47.diff/policy/modules/kernel/kernel.if	2006-07-14 04:29:32.000000000 -0500
> @@ -2134,3 +2134,11 @@ interface(`kernel_dontaudit_list_all_pro
>  	dontaudit $1 proc_type:dir list_dir_perms;
>  	dontaudit $1 proc_type:file getattr;
>  ')
> +
> +interface(`kernel_read_unlabeled_tcpsocket',`
> +	gen_require(`
> +		type unlabeled_t;
> +	')
> +
> +	allow $1 unlabeled_t:tcp_socket { read write shutdown };
> +')
> diff -urpN serefpolicy-2.2.47.orig/policy/modules/kernel/kernel.te serefpolicy-2.2.47.diff/policy/modules/kernel/kernel.te
> --- serefpolicy-2.2.47.orig/policy/modules/kernel/kernel.te	2006-07-11 05:15:39.000000000 -0500
> +++ serefpolicy-2.2.47.diff/policy/modules/kernel/kernel.te	2006-07-14 04:28:18.000000000 -0500
> @@ -332,6 +332,11 @@ optional_policy(`
>  ifdef(`targeted_policy',`
>  	allow unlabeled_t self:filesystem associate;
>  ')
> +# Joy
> +allow unlabeled_t self:association *;
> +corenet_tcp_sendrecv_generic_if(unlabeled_t)
> +corenet_tcp_sendrecv_generic_node(unlabeled_t)
> +corenet_tcp_sendrecv_generic_port(unlabeled_t)
>  
>  optional_policy(`
>  	# If you load a new policy that removes active domains, processes can
> diff -urpN serefpolicy-2.2.47.orig/policy/modules/system/unconfined.te serefpolicy-2.2.47.diff/policy/modules/system/unconfined.te
> --- serefpolicy-2.2.47.orig/policy/modules/system/unconfined.te	2006-07-11 05:15:39.000000000 -0500
> +++ serefpolicy-2.2.47.diff/policy/modules/system/unconfined.te	2006-07-14 04:32:33.000000000 -0500
> @@ -29,6 +29,8 @@ unconfined_domain(unconfined_t)
>  
>  logging_send_syslog_msg(unconfined_t)
>  
> +kernel_read_unlabeled_tcpsocket(unconfined_t)
> +
>  ifdef(`targeted_policy',`
>  	allow unconfined_t self:system syslog_read;
>  	dontaudit unconfined_t self:capability sys_module;
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH FOR REFERENCE ONLY] MLSXFRM-v02: Add support to serefpolicy

[Christopher J. PeBenito]

On Fri, 2006-09-01 at 08:08 -0400, Stephen Smalley wrote:
> On Tue, 2006-07-18 at 12:25 -0500, Venkat Yekkirala wrote:
> > This patch has been included here just for reference for anyone wanting to
> > try the patchset in enforcing mode. It will be submitted to the serefpolicy
> > list later.
> > 
> > This patch adds a polmatch avperm to arbitrate flow/state's access to
> > a xfrm policy. It also defines MLS policy for association { sendto,
> > recvfrom, polmatch }.
> > 
> > NOTE: When an inbound packet is not using an IPSec SA, a check is performed
> > between the socket label and the unlabeled sid (SYSTEM_HIGH MLS label). For
> > MLS purposes however, the target of the check should be the MLS label taken
> > from the node sid (or secmark in the new secmark world). This would present
> > a severe performance overhead (to make a new sid based on the unlabeled sid
> > with the MLS taken from the node sid or secmark and then using this sid as
> > the target). Pending reconciliation of the netlabel, ipsec and iptables contexts,
> > I have chosen to currently make an exception for unlabeled_t SAs if TE policy
> > allowed it. A similar problem exists for the outbound case and it has been similarly
> > handled in the policy below (by making an exception for unlabeled_t).
> > 
> > The mlsconstrains are from myself and the rest (sample/basic pieces to get
> > communication going without or with unlabeled IPSec) are from Joy Latten at IBM
> > (latten@austin.ibm.com).
> > 
> > diff -urpN serefpolicy-2.2.47.orig/policy/flask/access_vectors serefpolicy-2.2.47.diff/policy/flask/access_vectors
> > --- serefpolicy-2.2.47.orig/policy/flask/access_vectors	2006-07-11 05:15:39.000000000 -0500
> > +++ serefpolicy-2.2.47.diff/policy/flask/access_vectors	2006-07-11 07:43:37.000000000 -0500
> > @@ -602,6 +602,7 @@ class association
> >  	sendto
> >  	recvfrom
> >  	setcontext
> > +	polmatch
> >  }
> >  
> >  # Updated Netlink class for KOBJECT_UEVENT family.
> 
> I still don't see polmatch permission in the upstream reference policy.
> Not even a definition, much less sufficient rules to allow it when
> needed.  So 2.6.19 or the 2.6.18 kernel with the back ported patch can't
> possibly work right now for labeled networking via IPSEC, right?

The top of the email said the final patch would be submitted later.  I
never saw any submission.  Is this the patch we want use?  Other than
the permission and MLS constraints, the other parts are questionable,
since they refer to unlabeled processes.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH FOR REFERENCE ONLY] MLSXFRM-v02: Add support to serefpolicy

[Stephen Smalley]

On Fri, 2006-09-01 at 09:26 -0400, Christopher J. PeBenito wrote:
> On Fri, 2006-09-01 at 08:08 -0400, Stephen Smalley wrote:
> > On Tue, 2006-07-18 at 12:25 -0500, Venkat Yekkirala wrote:
> > > This patch has been included here just for reference for anyone wanting to
> > > try the patchset in enforcing mode. It will be submitted to the serefpolicy
> > > list later.
> > > 
> > > This patch adds a polmatch avperm to arbitrate flow/state's access to
> > > a xfrm policy. It also defines MLS policy for association { sendto,
> > > recvfrom, polmatch }.
> > > 
> > > NOTE: When an inbound packet is not using an IPSec SA, a check is performed
> > > between the socket label and the unlabeled sid (SYSTEM_HIGH MLS label). For
> > > MLS purposes however, the target of the check should be the MLS label taken
> > > from the node sid (or secmark in the new secmark world). This would present
> > > a severe performance overhead (to make a new sid based on the unlabeled sid
> > > with the MLS taken from the node sid or secmark and then using this sid as
> > > the target). Pending reconciliation of the netlabel, ipsec and iptables contexts,
> > > I have chosen to currently make an exception for unlabeled_t SAs if TE policy
> > > allowed it. A similar problem exists for the outbound case and it has been similarly
> > > handled in the policy below (by making an exception for unlabeled_t).
> > > 
> > > The mlsconstrains are from myself and the rest (sample/basic pieces to get
> > > communication going without or with unlabeled IPSec) are from Joy Latten at IBM
> > > (latten@austin.ibm.com).
> > > 
> > > diff -urpN serefpolicy-2.2.47.orig/policy/flask/access_vectors serefpolicy-2.2.47.diff/policy/flask/access_vectors
> > > --- serefpolicy-2.2.47.orig/policy/flask/access_vectors	2006-07-11 05:15:39.000000000 -0500
> > > +++ serefpolicy-2.2.47.diff/policy/flask/access_vectors	2006-07-11 07:43:37.000000000 -0500
> > > @@ -602,6 +602,7 @@ class association
> > >  	sendto
> > >  	recvfrom
> > >  	setcontext
> > > +	polmatch
> > >  }
> > >  
> > >  # Updated Netlink class for KOBJECT_UEVENT family.
> > 
> > I still don't see polmatch permission in the upstream reference policy.
> > Not even a definition, much less sufficient rules to allow it when
> > needed.  So 2.6.19 or the 2.6.18 kernel with the back ported patch can't
> > possibly work right now for labeled networking via IPSEC, right?
> 
> The top of the email said the final patch would be submitted later.  I
> never saw any submission.  Is this the patch we want use?  Other than
> the permission and MLS constraints, the other parts are questionable,
> since they refer to unlabeled processes.

I agree that the original reference patch was neither final nor
adequate; my message is just a reminder to the relevant parties (i.e.
the TCS and IBM folks) that a final patch needs to be upstreamed if they
want this to work.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.