From: Venkat Yekkirala <vyekkirala@TrustedCS.com>
To: selinux@tycho.nsa.gov, redhat-lspp@redhat.com
Subject: Networking policy patch
Date: Tue, 03 Oct 2006 21:54:46 -0500 [thread overview]
Message-ID: <45232276.2080105@trustedcs.com> (raw)
FYI- I have posted the following patches separate from this one.
1. A patch to address the "leask" issue. Once verified, it needs
to be rolled in with James' patch and sent on after verification.
2. A fix for flow_in and flow_out where we were using the unlabeled
init sid. We would now use a new network_t with a range of (s0-s15...)
to allow for mls traffic to flow out/in, in the absence of explicit secmark
rules.
The following is a sample patch for networking using the new controls
in conjunction with secmark.
NOTE FOR JOSHUA: This patch also defines the constraints to force context
equality for association:sendto.
I couldn't readily figure out where to stick these in, but these would
help the system come up without any denials.
+allow domain network_t:packet { flow_in flow_out };
+auditallow domain network_t:packet { flow_in flow_out };
+allow unlabeled_t network_t:packet { flow_in flow_out };
+auditallow unlabeled_t network_t:packet { flow_in flow_out };
+allow domain domain:packet { recv };
+auditallow domain domain:packet { recv };
+allow initrc_t unlabeled_t:packet { recv };
+auditallow initrc_t unlabeled_t:packet { recv };
+allow portmap_t unlabeled_t:packet { recv };
+auditallow portmap_t unlabeled_t:packet { recv };
+allow portmap_t rpcd_t:packet { recv };
+auditallow portmap_t rpcd_t:packet { recv };
+allow hplip_t hplip_t:packet { recv };
+auditallow hplip_t hplip_t:packet { recv };
+allow hplip_t cupsd_t:packet { recv };
+auditallow hplip_t cupsd_t:packet { recv };
+allow domain unlabeled_t:packet { recv };
+auditallow domain unlabeled_t:packet { recv };
+allow avahi_t unlabeled_t:packet { recv };
+auditallow avahi_t unlabeled_t:packet { recv };
--- serefpolicy-2.3.2.vanilla/policy/mls 2006-07-09 04:51:24.000000000 -0500
+++ serefpolicy-2.3.2/policy/mls 2006-10-03 18:45:33.000000000 -0500
@@ -668,7 +668,30 @@ mlsconstrain xinput { setattr relabelinp
# MLS policy for the association class
#
-# these access vectors have no MLS restrictions
-# association *
+mlsconstrain association { recvfrom }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ) or
+ ( t2 == unlabeled_t ));
+
+mlsconstrain association { sendto }
+ (( l1 eq l2 ) and ( h1 eq h2 ));
+
+mlsconstrain association { polmatch }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t2 == unlabeled_t ));
+
+#
+# MLS policy for the packet class
+#
+
+mlsconstrain packet { recv }
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+
+mlsconstrain packet { flow_in flow_out }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t1 == mlsnetflow ));
') dnl end enable_mls
--- serefpolicy-2.3.2.vanilla/policy/flask/access_vectors 2006-07-09 04:51:24.000000000 -0500
+++ serefpolicy-2.3.2/policy/flask/access_vectors 2006-10-03 18:45:33.000000000 -0500
@@ -617,6 +618,8 @@ class packet
send
recv
relabelto
+ flow_in
+ flow_out
}
class key
--- serefpolicy-2.3.2.vanilla/policy/constraints 2006-07-09 04:51:24.000000000 -0500
+++ serefpolicy-2.3.2/policy/constraints 2006-10-03 18:45:33.000000000 -0500
@@ -90,3 +90,9 @@ constrain dir_file_class_set { create re
constrain socket_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == can_change_object_identity );
+
+#
+# SElinux association sendto constraint:
+#
+constrain association sendto
+ ( u1 == u2 and r1 == r2 and t1 == t2 );
--- serefpolicy-2.3.2.vanilla/policy/modules/kernel/mls.te 2006-07-09 04:51:24.000000000 -0500
+++ serefpolicy-2.3.2/policy/modules/kernel/mls.te 2006-10-03 18:45:33.000000000 -0500
@@ -20,6 +20,7 @@ attribute mlsnetwritetoclr;
attribute mlsnetupgrade;
attribute mlsnetdowngrade;
attribute mlsnetrecvall;
+attribute mlsnetflow;
attribute mlsipcread;
attribute mlsipcreadtoclr;
--- serefpolicy-2.3.2.vanilla/policy/modules/kernel/kernel.te 2006-07-09 04:51:24.000000000 -0500
+++ serefpolicy-2.3.2/policy/modules/kernel/kernel.te 2006-10-03 18:58:37.000000000 -0500
@@ -35,7 +35,7 @@ ifdef(`enable_mls',`
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
#
-type kernel_t, can_load_kernmodule;
+type kernel_t, can_load_kernmodule, mlsnetflow;
domain_base_type(kernel_t)
mls_rangetrans_source(kernel_t)
role system_r types kernel_t;
@@ -138,6 +138,18 @@ genfscon proc /sys/dev gen_context(syste
type unlabeled_t;
sid unlabeled gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+# netmsg is now used for the unconditional (and redundant when a packet has
+# already been flow-controlled via [CONN]SECMARK) check that happens in the
+# SELinux post_route_last netfilter hook for ALL network traffic.
+# The following would need packet.flow_out access to network_t:
+# a. Any domains needing to access the network bypassing (CONN)SECMARK.
+# b. Outbound domains specified in the (CONN)SECMARK rule contexts specified
+# via iptables. This shouldn't actually be needed (just like a packet.flow_in access
+# of these domains to network_t isn't needed), but is currently required due to the
+# underlying kernel implementation constraints.
+type network_t;
+sid netmsg gen_context(system_u:object_r:network_t,s0 - s15:c0.c255)
+
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
@@ -145,7 +157,6 @@ sid icmp_socket gen_context(system_u:ob
sid igmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
sid init gen_context(system_u:object_r:unlabeled_t,s0)
sid kmod gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
-sid netmsg gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
sid policy gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
sid scmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0)
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2006-10-04 2:55 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-04 2:54 Venkat Yekkirala [this message]
2006-10-05 18:18 ` Networking policy patch Christopher J. PeBenito
2006-10-06 14:10 ` [redhat-lspp] " Paul Moore
2006-10-06 15:22 ` Christopher J. PeBenito
2006-10-06 15:44 ` Paul Moore
2006-10-05 18:40 ` Joshua Brindle
2006-10-06 10:46 ` Joshua Brindle
-- strict thread matches above, loose matches on Subject: below --
2006-10-06 13:27 Venkat Yekkirala
2006-10-06 15:13 ` Joshua Brindle
2006-10-06 15:42 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45232276.2080105@trustedcs.com \
--to=vyekkirala@trustedcs.com \
--cc=redhat-lspp@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.