[RFC 0/2] NetLabel changes for Reference policy

[RFC 0/2] NetLabel changes for Reference policy

[paul.moore]

These two patches are my first attempt at converting the policy modules Klaus
and I have been working on for NetLabel into something that could be included
in both the Reference policy and the shipping RHEL/FC policies.  While I have
done some basic testing with these changes the usefullness of the testing is
still questionable as it is using a non-standard kernel (net-2.6 still will not
boot for me).  Once the next RHEL5/lspp.52 kernel becomes available I will
redo my testing and post an updated patchset.  In the meantime, I would
appreciate it if all of the policy experts could take a look and comment on the
changes in the patches.

Thank you.

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[RFC 1/2] Reference policy: NetLabel policy additions

[paul.moore]

This patch adds basic NetLabel support to the reference policy.

---
 refpolicy/policy/modules/system/netlabel.fc |    7 ++++
 refpolicy/policy/modules/system/netlabel.if |   37 +++++++++++++++++++++++++
 refpolicy/policy/modules/system/netlabel.te |   41 ++++++++++++++++++++++++++++
 3 files changed, 85 insertions(+)

Index: refpolicy.lblnet/refpolicy/policy/modules/system/netlabel.fc
===================================================================
--- /dev/null
+++ refpolicy.lblnet/refpolicy/policy/modules/system/netlabel.fc
@@ -0,0 +1,7 @@
+
+########################################
+#
+# netlabel file contexts
+#
+
+/sbin/netlabelctl		--	gen_context(system_u:object_r:netlabelctl_exec_t,s0)
Index: refpolicy.lblnet/refpolicy/policy/modules/system/netlabel.if
===================================================================
--- /dev/null
+++ refpolicy.lblnet/refpolicy/policy/modules/system/netlabel.if
@@ -0,0 +1,37 @@
+## <summary>NetLabel packet labeling</summary>
+
+########################################
+## <summary>
+##      Allow the domain to receive UDP packets via NetLabel connections.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      The type of the process requesting this access.
+##      </summary>
+## </param>
+#
+interface(`netlabel_udp_recvfrom',`
+        gen_require(`
+                type unlabeled_t;
+        ')
+
+	allow $1 unlabeled_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Allow the domain to receive TCP packets via NetLabel connections.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      The type of the process requesting this access.
+##      </summary>
+## </param>
+#
+interface(`netlabel_tcp_recvfrom',`
+        gen_require(`
+                type unlabeled_t;
+        ')
+
+	allow $1 unlabeled_t:tcp_socket recvfrom;
+')
Index: refpolicy.lblnet/refpolicy/policy/modules/system/netlabel.te
===================================================================
--- /dev/null
+++ refpolicy.lblnet/refpolicy/policy/modules/system/netlabel.te
@@ -0,0 +1,41 @@
+
+policy_module(netlabel,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type netlabelctl_t;
+type netlabelctl_exec_t;
+
+domain_type(netlabelctl_t)
+domain_entry_file(netlabelctl_t,netlabelctl_exec_t)
+
+########################################
+#
+# NetLabel Local policy
+#
+
+# sending netlabel'd packets does not require a selinux privilege, however
+# receiving netlabel's packets does
+allow staff_t unlabeled_t:{ tcp_socket udp_socket } recvfrom;
+allow user_t unlabeled_t:{ tcp_socket udp_socket } recvfrom;
+
+########################################
+#
+# netlabelctl Local policy
+#
+
+# allow sysadm_t to run netlabelctl
+domain_auto_trans(sysadm_t,netlabelctl_exec_t,netlabelctl_t)
+
+# allow netlabelctl access to shared libraries
+libs_use_ld_so(netlabelctl_t)
+libs_use_shared_libs(netlabelctl_t)
+
+# allow netlabelctl fd access
+domain_use_interactive_fds(netlabelctl_t)
+
+# allow communication with kernel subsystem
+allow netlabelctl_t self:netlink_socket { create bind write read };

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC 1/2] Reference policy: NetLabel policy additions

[Christopher J. PeBenito]

On Tue, 2006-10-10 at 13:15 -0400, paul.moore@hp.com wrote:
> plain text document attachment (netlabel-refpolicy_core)
> This patch adds basic NetLabel support to the reference policy.

The main problem is that there are references to types that are not
owned by this module.  These have to be changed to use interfaces that
are provided by the modules that own the types.

> +interface(`netlabel_udp_recvfrom',`
> +        gen_require(`
> +                type unlabeled_t;
> +        ')
> +
> +	allow $1 unlabeled_t:udp_socket recvfrom;
> +')

> +interface(`netlabel_tcp_recvfrom',`
> +        gen_require(`
> +                type unlabeled_t;
> +        ')
> +
> +	allow $1 unlabeled_t:tcp_socket recvfrom;
> +')

Unlabeled_t is not declared in this module, so kernel should provide
these interfaces.  To make things clearer, interfaces in corenetwork
should be added that just call the kernel interfaces.  See
corenet_non_ipsec_sendrecv() (I realize its somewhat misnamed in light
of netlabel) and kernel_sendrecv_unlabeled_association() to see what I
mean by the above.

> +# sending netlabel'd packets does not require a selinux privilege, however
> +# receiving netlabel's packets does
> +allow staff_t unlabeled_t:{ tcp_socket udp_socket } recvfrom;
> +allow user_t unlabeled_t:{ tcp_socket udp_socket } recvfrom;

Should be added to userdomain via interface.  Also, why not sysadm_t?

> +# allow sysadm_t to run netlabelctl
> +domain_auto_trans(sysadm_t,netlabelctl_exec_t,netlabelctl_t)

Also should be added to userdomain via interface.  A domtrans interface
should be added to this module.  See clock_domtrans() for an example.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC 1/2] Reference policy: NetLabel policy additions

[Paul Moore]

Christopher J. PeBenito wrote:
> On Tue, 2006-10-10 at 13:15 -0400, paul.moore@hp.com wrote:
> 
>>plain text document attachment (netlabel-refpolicy_core)
>>This patch adds basic NetLabel support to the reference policy.
>  
> The main problem is that there are references to types that are not
> owned by this module.  These have to be changed to use interfaces that
> are provided by the modules that own the types.

Thanks for the comments.  I'll work on making the changes and post the updated
patches.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC 1/2] Reference policy: NetLabel policy additions

[Paul Moore]

Christopher J. PeBenito wrote:
> On Tue, 2006-10-10 at 13:15 -0400, paul.moore@hp.com wrote:
>>plain text document attachment (netlabel-refpolicy_core)
>>This patch adds basic NetLabel support to the reference policy.
> 
> The main problem is that there are references to types that are not
> owned by this module.  These have to be changed to use interfaces that
> are provided by the modules that own the types.

Okay, attempt #2 ...

Index: refpolicy.lblnet/refpolicy/policy/modules/kernel/corenetwork.if.in
===================================================================
--- refpolicy.lblnet.orig/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ refpolicy.lblnet/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -1436,6 +1436,64 @@ interface(`corenet_dontaudit_non_ipsec_s

 ########################################
 ## <summary>
+##      Receive TCP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`corenet_tcp_recv_netlabel',`
+       kernel_tcp_recv_netlabel($1)
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive TCP packets from a NetLabel
+##      connection.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_recv_netlabel',`
+       kernel_dontaudit_tcp_recv_netlabel($1)
+')
+
+########################################
+## <summary>
+##      Receive UDP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`corenet_udp_recv_netlabel',`
+       kernel_udp_recv_netlabel($1)
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive UDP packets from a NetLabel
+##      connection.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_recv_netlabel',`
+       kernel_dontaudit_udp_recv_netlabel($1)
+')
+
+########################################
+## <summary>
 ##     Send generic client packets.
 ## </summary>
 ## <param name="domain">
Index: refpolicy.lblnet/refpolicy/policy/modules/kernel/kernel.if
===================================================================
--- refpolicy.lblnet.orig/refpolicy/policy/modules/kernel/kernel.if
+++ refpolicy.lblnet/refpolicy/policy/modules/kernel/kernel.if
@@ -2205,6 +2205,108 @@ interface(`kernel_dontaudit_sendrecv_unl

 ########################################
 ## <summary>
+##      Receive TCP packets from a NetLabel connection.
+## </summary>
+## <desc>
+##     <p>
+##      Receive TCP packets from a NetLabel connection, NetLabel is an
+##      explicit packet labeling framework which implements CIPSO and
+##      similar protocols.
+##      </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`kernel_dontaudit_tcp_recv_netlabel',`
+       gen_require(`
+               type unlabeled_t;
+       ')
+
+       allow $1 unlabeled_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive TCP packets from a NetLabel
+##      connection.
+## </summary>
+## <desc>
+##     <p>
+##      Do not audit attempts to receive TCP packets from a NetLabel
+##      connection.  NetLabel is an explicit packet labeling framework
+##      which implements CIPSO and similar protocols.
+##      </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`kernel_tcp_recv_netlabel',`
+       gen_require(`
+               type unlabeled_t;
+       ')
+
+       dontaudit $1 unlabeled_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Receive UDP packets from a NetLabel connection.
+## </summary>
+## <desc>
+##     <p>
+##      Receive UDP packets from a NetLabel connection, NetLabel is an
+##      explicit packet labeling framework which implements CIPSO and
+##      similar protocols.
+##      </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`kernel_udp_recv_netlabel',`
+       gen_require(`
+               type unlabeled_t;
+       ')
+
+       allow $1 unlabeled_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive UDP packets from a NetLabel
+##      connection.
+## </summary>
+## <desc>
+##     <p>
+##      Do not audit attempts to receive UDP packets from a NetLabel
+##      connection.  NetLabel is an explicit packet labeling framework
+##      which implements CIPSO and similar protocols.
+##      </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`kernel_dontaudit_udp_recv_netlabel',`
+       gen_require(`
+               type unlabeled_t;
+       ')
+
+       dontaudit $1 unlabeled_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
 ##     Send and receive unlabeled packets.
 ## </summary>
 ## <desc>
Index: refpolicy.lblnet/refpolicy/policy/modules/system/netlabel.fc
===================================================================
--- /dev/null
+++ refpolicy.lblnet/refpolicy/policy/modules/system/netlabel.fc
@@ -0,0 +1,7 @@
+
+########################################
+#
+# netlabel file contexts
+#
+
+/sbin/netlabelctl              --
gen_context(system_u:object_r:netlabelctl_exec_t,s0)
Index: refpolicy.lblnet/refpolicy/policy/modules/system/netlabel.if
===================================================================
--- /dev/null
+++ refpolicy.lblnet/refpolicy/policy/modules/system/netlabel.if
@@ -0,0 +1,24 @@
+## <summary>NetLabel packet labeling</summary>
+
+########################################
+## <summary>
+##      Execute netlabelctl in the netlabelctl domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      The type of the process performing this action.
+##      </summary>
+## </param>
+#
+interface(`netlabelctl_domtrans',`
+        gen_require(`
+                type netlabelctl_t, netlabelctl_exec_t;
+        ')
+
+        domain_auto_trans($1,netlabelctl_exec_t,netlabelctl_t)
+
+       allow $1 netlabelctl_t:fd use;
+       allow netlabelctl_t $1:fd use;
+       allow netlabelctl_t $1:fifo_file rw_file_perms;
+       allow netlabelctl_t $1:process sigchld;
+')
Index: refpolicy.lblnet/refpolicy/policy/modules/system/netlabel.te
===================================================================
--- /dev/null
+++ refpolicy.lblnet/refpolicy/policy/modules/system/netlabel.te
@@ -0,0 +1,25 @@
+
+policy_module(netlabel,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type netlabelctl_t;
+type netlabelctl_exec_t;
+
+domain_type(netlabelctl_t)
+domain_entry_file(netlabelctl_t,netlabelctl_exec_t)
+
+########################################
+#
+# netlabelctl Local policy
+#
+
+# allow netlabelctl access to shared libraries
+libs_use_ld_so(netlabelctl_t)
+libs_use_shared_libs(netlabelctl_t)
+
+# allow communication with kernel subsystem
+allow netlabelctl_t self:netlink_socket { create bind write read };
Index: refpolicy.lblnet/refpolicy/policy/modules/system/userdomain.if
===================================================================
--- refpolicy.lblnet.orig/refpolicy/policy/modules/system/userdomain.if
+++ refpolicy.lblnet/refpolicy/policy/modules/system/userdomain.if
@@ -512,6 +512,8 @@ template(`userdom_basic_networking_templ
        corenet_udp_sendrecv_all_nodes($1_t)
        corenet_tcp_sendrecv_all_ports($1_t)
        corenet_udp_sendrecv_all_ports($1_t)
+       corenet_tcp_recv_netlabel($1_t)
+       corenet_udp_recv_netlabel($1_t)
        corenet_tcp_connect_all_ports($1_t)
        corenet_sendrecv_all_client_packets($1_t)
 ')
Index: refpolicy.lblnet/refpolicy/policy/modules/system/userdomain.te
===================================================================
--- refpolicy.lblnet.orig/refpolicy/policy/modules/system/userdomain.te
+++ refpolicy.lblnet/refpolicy/policy/modules/system/userdomain.te
@@ -155,10 +155,12 @@ ifdef(`strict_policy',`
                logging_read_generic_logs(secadm_t)
                userdom_dontaudit_append_staff_home_content_files(secadm_t)
                userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
+               netlabelctl_domtrans(secadm_t)
        ',`
                logging_manage_audit_log(sysadm_t)
                logging_manage_audit_config(sysadm_t)
                logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
+               netlabelctl_domtrans(sysadm_t)
        ')

        tunable_policy(`allow_ptrace',`

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[RFC 2/2] Reference policy: Restrict NetLabel to same MLS label connections by default

[paul.moore]

This patch adjusts the {tcp,udp}_socket recvfrom permissions to only allow
same MLS label connections.

---
 refpolicy/policy/mls |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletion(-)

Index: refpolicy.lblnet/refpolicy/policy/mls
===================================================================
--- refpolicy.lblnet.orig/refpolicy/policy/mls
+++ refpolicy.lblnet/refpolicy/policy/mls
@@ -165,7 +165,7 @@ mlsconstrain { socket tcp_socket udp_soc
 	( h1 dom h2 );
 
 # the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
 	(( l1 dom l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsnetread ));
@@ -181,6 +181,12 @@ mlsconstrain { socket tcp_socket udp_soc
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsnetwrite ));
 
+# used by netlabel to restrict normal domains to same level connections
+mlsconstrain { tcp_socket udp_socket } recvfrom
+	(( l1 eq l2 ) or
+	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsnetread ));
+
 # these access vectors have no MLS restrictions
 # { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
 #

--
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC 2/2] Reference policy: Restrict NetLabel to same MLS label connections by default

[Christopher J. PeBenito]

On Tue, 2006-10-10 at 13:15 -0400, paul.moore@hp.com wrote:
> plain text document attachment (netlabel-refpolicy_mlsconstraints)
> This patch adjusts the {tcp,udp}_socket recvfrom permissions to only allow
> same MLS label connections.

Looks ok to me.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.