MLSXFRM-v02: Add support to serefpolicy

All of lore.kernel.org
 help / color / mirror / Atom feed

* MLSXFRM-v02: Add support to serefpolicy
@ 2006-09-01 13:47 Venkat Yekkirala
  2006-09-01 17:08 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Venkat Yekkirala @ 2006-09-01 13:47 UTC (permalink / raw)
  To: selinux; +Cc: sds, cpebenito

This patch adds a polmatch avperm to arbitrate flow/state's access to
a xfrm policy. It also defines MLS policy for association { sendto,
recvfrom, polmatch }.

NOTE: When an inbound packet is not using an IPSec SA, a check is performed
between the socket label and the unlabeled sid (SYSTEM_HIGH MLS label). For
MLS purposes however, the target of the check should be the MLS label taken
from the node sid (or secmark in the new secmark world). This would present
a severe performance overhead (to make a new sid based on the unlabeled sid
with the MLS taken from the node sid or secmark and then using this sid as
the target). Pending reconciliation of the netlabel, ipsec and iptables contexts,
I have chosen to currently make an exception for unlabeled_t SAs if TE policy
allowed it. A similar problem exists for the outbound case and it has been similarly
handled in the policy below (by making an exception for unlabeled_t).

I am submitting the below limited patch pending a comprehensive patch from
Joy Latten at IBM (latten@austin.ibm.com).

I am not sure if I needed to manually do a "make tolib" in the flask subdir
and submit the results as well. Please let me know if I needed to.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
---

--- serefpolicy-2.3.2.vanilla/policy/mls	2006-07-09 04:51:24.000000000 -0500
+++ serefpolicy-2.3.2/policy/mls	2006-07-29 11:48:50.000000000 -0500
@@ -668,7 +668,19 @@ mlsconstrain xinput { setattr relabelinp
 # MLS policy for the association class
 #

-# these access vectors have no MLS restrictions
-# association *
+mlsconstrain association { recvfrom }
+	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsnetread ) or
+	 ( t2 == unlabeled_t ));
+
+mlsconstrain association { sendto }
+	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	 ( t2 == unlabeled_t ));
+
+mlsconstrain association { polmatch }
+	((( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t2 == unlabeled_t ));
+

 ') dnl end enable_mls
--- serefpolicy-2.3.2.vanilla/policy/flask/access_vectors	2006-07-09 04:51:24.000000000 -0500
+++ serefpolicy-2.3.2/policy/flask/access_vectors	2006-07-29 12:08:31.000000000 -0500
@@ -603,6 +603,7 @@ class association
 	sendto
 	recvfrom
 	setcontext
+	polmatch
 }

 # Updated Netlink class for KOBJECT_UEVENT family.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: MLSXFRM-v02: Add support to serefpolicy
  2006-09-01 13:47 MLSXFRM-v02: Add support to serefpolicy Venkat Yekkirala
@ 2006-09-01 17:08 ` Christopher J. PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2006-09-01 17:08 UTC (permalink / raw)
  To: Venkat Yekkirala; +Cc: selinux, sds

On Fri, 2006-09-01 at 08:47 -0500, Venkat Yekkirala wrote:
> This patch adds a polmatch avperm to arbitrate flow/state's access to
> a xfrm policy. It also defines MLS policy for association { sendto,
> recvfrom, polmatch }.
> 
> NOTE: When an inbound packet is not using an IPSec SA, a check is performed
> between the socket label and the unlabeled sid (SYSTEM_HIGH MLS label). For
> MLS purposes however, the target of the check should be the MLS label taken
> from the node sid (or secmark in the new secmark world). This would present
> a severe performance overhead (to make a new sid based on the unlabeled sid
> with the MLS taken from the node sid or secmark and then using this sid as
> the target). Pending reconciliation of the netlabel, ipsec and iptables contexts,
> I have chosen to currently make an exception for unlabeled_t SAs if TE policy
> allowed it. A similar problem exists for the outbound case and it has been similarly
> handled in the policy below (by making an exception for unlabeled_t).

Merged.  I will probably add an attribute to cover the unlabeled_t
association exception (perhaps mlstrustednetobj), since we don't want
hardcoded types in the constraints.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2006-09-01 17:08 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-09-01 13:47 MLSXFRM-v02: Add support to serefpolicy Venkat Yekkirala
2006-09-01 17:08 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.