Labeled networking at the end of the day Oct 2, 2006

Labeled networking at the end of the day Oct 2, 2006

[Eric Paris]

Where do we stand with labeled networking today?

I published a kernel yesterday which is sorta close to having what we
need for labeled networking.  This kernel includes 3 patch sets.

1) netlabel changes to audit configuration changes
2) secid reconciliation patch set (9 patches) for secmark/ipsec
3) secid reconciliation patch to include netlabel

to even be close to a usable kernel we still need

1) fix for packets intended for ipsec tunnels to not be clear text.
Venkat indicated he had his own way he wanted to solve this problem on
Monday but I did not see any updates today.  This is a major problem
which must get fixed somehow, soon.
2) ipsec configuration auditing.  if we can do this in policy all the
better.  if not, I need a patch.
3) fix for netlabel caching race which can cause an opps.  Can be worked
around by using a sysctl (see the e-mail from paul moore)
4) fix for netlabel correctness in the same e-mail from paul he
mentioned correctness issues in -v3 inside selinux-ip-postroute-last

Testing with compat-net is not going to help us.  At this time I don't
believe that RHEL5 is going to ship with compat-net set (at least I
don't plan to right now)

Non-kernel code issues which must be resolved/explained
1) I also haven't heard any response to method's inquiry about the
meaning of some unlabeled_t denials namely

audit(1159877238.937:35): avc:  denied  { polmatch } for  
scontext=system_u:object_r:unlabeled_t:s0 
tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=association

2) policy must be updated to include flow_in and flow_out for
unlabeled_t packets.  dwalsh made a policy to at least define these
which I may put on my people page in a bit.  Doesn't fix the denials,
but at least you can fix them yourself in modules.  Venkat has promised
a policy patch to fix these issues.  I certainly hope that will be soon.
3) policy must be updated to understand that by default traffic on the
loopback interface is going to be labeled and not unlabeled_t any more
(avahi_t I'm seeing hitting this)

Also we have at least 2 cleanups that need to be done to the labeled
networking code.

1) Patch 7/9 from the reconciliation thread should be cleaned up to
better use BUG_ON()
2) Patch 2/9 should drop polsec from the hook interface in security_ops

I think this is a pretty good outline of where we are, what is broken,
what is backported in my RHEL5 based kernel, and what needs to be
answered/cleaned up for the future.  If I missed something, if you see
something else wrong, if there is anything you can do to address any of
these point please don't hesitate to send an e-mail.

-Eric


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Labeled networking at the end of the day Oct 2, 2006

[Paul Moore]

[-- Attachment #1: Type: text/plain, Size: 1839 bytes --]

Eric Paris wrote:
> Where do we stand with labeled networking today?
> 
> I published a kernel yesterday which is sorta close to having what we
> need for labeled networking.  This kernel includes 3 patch sets.
> 
> 1) netlabel changes to audit configuration changes
> 2) secid reconciliation patch set (9 patches) for secmark/ipsec
> 3) secid reconciliation patch to include netlabel
> 
> to even be close to a usable kernel we still need
> 
> 1) fix for packets intended for ipsec tunnels to not be clear text.
> Venkat indicated he had his own way he wanted to solve this problem on
> Monday but I did not see any updates today.  This is a major problem
> which must get fixed somehow, soon.
> 2) ipsec configuration auditing.  if we can do this in policy all the
> better.  if not, I need a patch.
> 3) fix for netlabel caching race which can cause an opps.  Can be worked
> around by using a sysctl (see the e-mail from paul moore)
> 4) fix for netlabel correctness in the same e-mail from paul he
> mentioned correctness issues in -v3 inside selinux-ip-postroute-last

Updates from the NetLabel side of the house:

I have patches for both #3 and #4 sitting on my disk.  I've got a kernel
(based on the source RPMs you posted this morning) building right now
with the patch for #3, it should be done pretty soon.  I want to let it
run overnight and if everything looks okay I'll post it to the lists.

The fix for patch #4 is probably just going to be a respin, i.e. "v4" of
the NetLabel secid reconciliation patch as I don't think the "v3"
version of the patch has made it into a tree yet (net-2.6 seems to be
missing?).  For those who are curious attached is a diff between the
"v3" and upcoming "v4" patch.  I'll post this once I have pushed out the
patch for #3 and have had time to test this.

-- 
paul moore
linux security @ hp

[-- Attachment #2: secid_netlabel_v3-v4.diff --]
[-- Type: text/x-patch, Size: 1724 bytes --]

diff -u net-2.6/security/selinux/hooks.c net-2.6/security/selinux/hooks.c
--- net-2.6/security/selinux/hooks.c
+++ net-2.6/security/selinux/hooks.c
@@ -3750,22 +3750,23 @@
 		return 1;
 
 	if (!skb->secmark) {
+		struct sk_security_struct *sksec = skb->sk->sk_security;
 		u32 xfrm_sid;
 		u32 nlbl_sid;
 
-		err = selinux_netlbl_skb_sid(skb, skb->secmark, &nlbl_sid);
+		selinux_skb_xfrm_sid(skb, &xfrm_sid);
+		err = selinux_netlbl_skb_sid(skb,
+					     xfrm_sid ? xfrm_sid : sksec->sid,
+					     &nlbl_sid);
 		if (err)
 			goto out;
-		selinux_skb_xfrm_sid(skb, &xfrm_sid);
 
 		if (nlbl_sid)
 			skb->secmark = nlbl_sid;
 		else if (xfrm_sid)
 			skb->secmark = xfrm_sid;
-		else if (skb->sk) {
-			struct sk_security_struct *sksec = skb->sk->sk_security;
+		else if (skb->sk)
 			skb->secmark = sksec->sid;
-		}
 	}
 
 	err = avc_has_perm(skb->secmark, nf_secid, SECCLASS_PACKET,
@@ -3920,25 +3921,24 @@
 						       family, addrp, len);
 	else {
 		if (!skb->secmark) {
+			struct sk_security_struct *sksec =
+				skb->sk->sk_security;
 			u32 xfrm_sid;
 			u32 nlbl_sid;
 
+			selinux_skb_xfrm_sid(skb, &xfrm_sid);
 			err = selinux_netlbl_skb_sid(skb,
-						     skb->secmark,
-						     &nlbl_sid);
+					      xfrm_sid ? xfrm_sid : sksec->sid,
+					      &nlbl_sid);
 			if (err)
 				goto out;
-			selinux_skb_xfrm_sid(skb, &xfrm_sid);
 
 			if (nlbl_sid)
 				skb->secmark = nlbl_sid;
 			else if (xfrm_sid)
 				skb->secmark = xfrm_sid;
-			else if (skb->sk) {
-				struct sk_security_struct *sksec =
-						skb->sk->sk_security;
+			else if (skb->sk)
 				skb->secmark = sksec->sid;
-			}
 		}
 		err = avc_has_perm(skb->secmark, SECINITSID_UNLABELED,
 				   SECCLASS_PACKET, PACKET__FLOW_OUT, &ad);