From: Joshua Brindle <jbrindle@tresys.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Venkat Yekkirala <vyekkirala@TrustedCS.com>,
Joy Latten <latten@us.ibm.com>,
Joshua Brindle <jbrindle@tresys.com>,
selinux@tycho.nsa.gov
Subject: Re: Denials from newest kernel
Date: Fri, 06 Oct 2006 14:31:58 -0400 [thread overview]
Message-ID: <4526A11E.2060101@tresys.com> (raw)
In-Reply-To: <1160148117.12253.106.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
> On Fri, 2006-10-06 at 11:11 -0400, Venkat Yekkirala wrote:
>
> <snip>
> More importantly:
> - We need to fix real bug (e.g. incorrect source or target context for a
> given check, incorrect set of checks applied on some operation/code
> path).
> - We need to document what the checks mean and how they are applied so
> that policy writers can understand them.
>
> Renaming them doesn't really help. Classes have always been a fairly
> artificial construct, and you can see that already in the existing
> checks prior to this work
Ok, after loading up some secmark rules (the ones from targeted in
rawhide) the packets are labeled things like httpd_client_packet_t and
httpd_server_packet_t and so on. Here are the denials I get: (this is
with no associations)
allow avahi_t self:packet recv;
#TYPE=AVC MSG= COMM="avahi-daemon" : recv
- so the packet somehow got the domain label, this was the same as the
pre-secmark case so its an expected error I think.
allow avahi_t client_packet_t:packet flow_out;
- based on the conversation this seems correct (whatever port it used
for an outgoing connection was not a port specified in refpolicy, thus
the generic client_packet_t)
allow avahi_t unlabeled_t:packet flow_out;
- So this is why I don't like the object class mixing. This could either
be the mislabeled association (expected) or an unlabled packet (which
should not happen, with the refpolicy netfilter_context all packets have
some label, the fallbacks are client_packet_t and server_packet_t)
allow client_packet_t dns_client_packet_t:packet flow_out;
#TYPE=AVC MSG= COMM="rpc.statd" : flow_out
#TYPE=AVC MSG= COMM="sshd" : flow_out
allow client_packet_t howl_client_packet_t:packet flow_out;
#TYPE=AVC MSG= COMM="avahi-daemon" : flow_out
allow client_packet_t portmap_client_packet_t:packet flow_out;
#TYPE=AVC MSG= COMM="rpc.statd" : flow_out
allow client_packet_t unlabeled_t:packet flow_out;
#TYPE=AVC MSG= COMM="avahi-daemon" : flow_out
- I don't even know what these mean. client_packet_t flowing out
dns_client_packet_t?
And some others at the bottom that have unlabeled (i assume association)
I'd like to document somewhere the set of rules (selinux policy and
other) necessary for simple things:
1) secmark rules w/ no ipsec
2) ipsec label propagation w/ no secmark (this will be useful on rhel5
since secmark will be disabled)
3) secmark and ipsec
4) the complex example with different labels on the sockets than the
domain (I don't think this is possible right now)
The security properties that this should give us: (with all options in use)
1) Bind a domain (or socket) to a packet label to specify very precisely
how a domain can communicate on the network
2) Bind a domain to a specific spd rule to specify the encryption
properties needed for said domain
3) Bind a packet type to an association (labeled via the remote socket)
to specify how packets can flow on the network (and to whom)
4) Bind a domain to an association (labeled via the remote socket) to
specify how domains on remote machines can interact
All together this allows a very precise definition of both local network
access and domain interaction between machines, which is very good :).
Now if we can tell people how to accomplish this we all win, I'm still
trying to fight through how to accomplish this. I'm posting this to
ensure that my impression of the capabilities that should be present is
accurate before I start lying to people :)
----
allow cupsd_t dns_client_packet_t:packet flow_out;
#TYPE=AVC MSG= COMM="cupsd" : flow_out
allow dns_client_packet_t unlabeled_t:packet flow_out;
#TYPE=AVC MSG= COMM="rpc.statd" : flow_out
#TYPE=AVC MSG= COMM="cupsd" : flow_out
allow howl_client_packet_t unlabeled_t:packet flow_out;
#TYPE=AVC MSG= COMM="avahi-daemon" : flow_out
#TYPE=AVC MSG= COMM="avahi-daemon" : flow_out
allow portmap_client_packet_t unlabeled_t:packet flow_out;
#TYPE=AVC MSG= COMM="rpc.statd" : flow_out
allow portmap_t portmap_client_packet_t:packet flow_out;
#TYPE=AVC MSG= COMM="portmap" : flow_out
allow rpcd_t client_packet_t:packet flow_out;
#TYPE=AVC MSG= COMM="rpc.statd" : flow_out
allow rpcd_t dns_client_packet_t:packet flow_out;
#TYPE=AVC MSG= COMM="rpc.statd" : flow_out
allow ssh_server_packet_t self:packet flow_out;
#TYPE=AVC MSG= : flow_out
allow ssh_server_packet_t unlabeled_t:packet flow_out;
#TYPE=AVC MSG= : flow_out
allow unlabeled_t avahi_t:packet flow_in;
#TYPE=AVC MSG= COMM="avahi-daemon" : flow_in
allow unlabeled_t client_packet_t:packet flow_out;
#TYPE=AVC MSG= COMM="avahi-daemon" : flow_out
allow unlabeled_t dhcpc_server_packet_t:packet flow_in;
#TYPE=AVC MSG= : flow_in
#TYPE=AVC MSG= : flow_in
allow unlabeled_t dns_client_packet_t:packet flow_in;
#TYPE=AVC MSG= : flow_in
#TYPE=AVC MSG= : flow_in
#TYPE=AVC MSG= COMM="sshd" : flow_in
allow unlabeled_t howl_server_packet_t:packet flow_in;
#TYPE=AVC MSG= COMM="avahi-daemon" : flow_in
allow unlabeled_t ssh_server_packet_t:packet flow_in;
#TYPE=AVC MSG= : flow_in
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2006-10-06 18:31 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-06 15:11 Denials from newest kernel Venkat Yekkirala
2006-10-06 15:17 ` Joshua Brindle
2006-10-06 16:25 ` Stephen Smalley
2006-10-06 15:21 ` Stephen Smalley
2006-10-06 15:44 ` Joshua Brindle
2006-10-06 15:56 ` Stephen Smalley
2006-10-06 16:59 ` Karl MacMillan
2006-10-06 18:31 ` Joshua Brindle [this message]
2006-10-06 19:04 ` Joshua Brindle
-- strict thread matches above, loose matches on Subject: below --
2006-10-10 16:28 Venkat Yekkirala
2006-10-10 15:45 Venkat Yekkirala
2006-10-10 14:42 Venkat Yekkirala
2006-10-10 18:33 ` Christopher J. PeBenito
2006-10-10 19:15 ` Venkat Yekkirala
2006-10-10 19:35 ` Karl MacMillan
2006-10-10 19:56 ` Venkat Yekkirala
2006-10-12 18:51 ` Christopher J. PeBenito
2006-10-12 20:06 ` Venkat Yekkirala
2006-10-13 15:06 ` Christopher J. PeBenito
2006-10-13 21:52 ` Venkat Yekkirala
2006-10-16 12:31 ` Christopher J. PeBenito
2006-10-16 13:45 ` Venkat Yekkirala
2006-10-16 13:53 ` Christopher J. PeBenito
2006-10-16 14:16 ` Venkat Yekkirala
2006-10-16 17:26 ` Christopher J. PeBenito
2006-10-16 18:29 ` Venkat Yekkirala
2006-10-16 18:53 ` Paul Moore
2006-10-17 13:56 ` Christopher J. PeBenito
2006-10-17 17:58 ` Darrel Goeddel
2006-10-17 18:22 ` Christopher J. PeBenito
2006-10-17 19:23 ` Darrel Goeddel
2006-10-18 13:45 ` Christopher J. PeBenito
2006-10-19 15:57 ` Venkat Yekkirala
2006-10-20 12:41 ` Christopher J. PeBenito
2006-10-23 17:42 ` Venkat Yekkirala
2006-10-24 0:44 ` Christopher J. PeBenito
2006-10-13 22:42 ` Paul Moore
2006-10-14 1:00 ` Venkat Yekkirala
2006-10-14 12:13 ` Paul Moore
2006-10-14 19:50 ` Venkat Yekkirala
2006-10-14 20:41 ` Paul Moore
2006-10-14 20:58 ` James Morris
2006-10-14 23:01 ` Venkat Yekkirala
2006-10-16 13:16 ` Christopher J. PeBenito
2006-10-16 14:11 ` Venkat Yekkirala
2006-10-14 7:36 ` James Morris
2006-10-14 12:18 ` Paul Moore
2006-10-14 20:10 ` Venkat Yekkirala
2006-10-10 20:05 ` Christopher J. PeBenito
2006-10-11 14:04 ` Venkat Yekkirala
2006-10-12 7:19 ` James Morris
2006-10-10 14:18 Venkat Yekkirala
2006-10-10 14:42 ` Christopher J. PeBenito
2006-10-09 23:40 Venkat Yekkirala
2006-10-10 0:10 ` Joshua Brindle
2006-10-10 14:07 ` Christopher J. PeBenito
2006-10-10 15:55 ` Joshua Brindle
2006-10-06 21:34 Venkat Yekkirala
2006-10-06 21:17 Venkat Yekkirala
2006-10-09 14:03 ` Joshua Brindle
2006-10-06 21:15 Venkat Yekkirala
2006-10-06 21:31 ` Paul Moore
2006-10-06 20:05 Venkat Yekkirala
2006-10-06 19:43 Venkat Yekkirala
2006-10-06 14:23 Venkat Yekkirala
2006-10-06 14:50 ` Joshua Brindle
2006-10-06 13:45 Venkat Yekkirala
2006-10-06 13:55 ` Joshua Brindle
2006-10-06 14:39 ` Paul Moore
2006-10-06 13:31 Joshua Brindle
2006-10-06 17:32 ` James Morris
2006-10-06 18:41 ` Steve G
2006-10-06 19:50 ` James Morris
2006-10-06 19:56 ` Joshua Brindle
2006-10-06 20:13 ` Christopher J. PeBenito
2006-10-06 19:02 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4526A11E.2060101@tresys.com \
--to=jbrindle@tresys.com \
--cc=latten@us.ibm.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.