[PATCH RFC 0/2] stricter MLS policy constraints

[PATCH RFC 0/2] stricter MLS policy constraints

[Klaus Weidner]

Hello,

this is a followup to a previous discussion about the MLS constraints
in the reference policy:

	http://marc.theaimsgroup.com/?l=selinux&m=116327030930738&w=2

Darrel Goeddel's explained that these MLS constraints are based on
"ranged objects" for container objects such as directories, and for
sockets, allowing writes if the subject low level is within the object's
low-high range:

	http://marc.theaimsgroup.com/?l=selinux&m=116414826605626&w=2

These ranged objects unfortunately violate the Bell-LaPadula rules, and
can lead to information leaks. For example, a low subject may be able to
see names created in a ranged directory by a higher subject. Such ranged
directories should not be needed thanks to polyinstantiation.

The following patches attempt to get the system closer to the
Bell-LaPadula model expressed in the LSPP by permitting only "write
equal" for unprivileged subjects. The old behavior is still available by
giving attributes to the subjects that need it. (LSPP accepts privileged
programs that can override the information flow rules, so these
attributes can be given fairly liberally, but the default user types must
not have them.)

Patch 1: Rename the "mlsfilewriteinrange" attribute with no functional
changes. The reason for the renaming is that this is an object attribute
(like "mlstrustedobject"), and it's confusing to use the naming scheme
usually used for subject attributes for it. It's currently only used for
the printer device object.

Patch 2: For untrusted subjects, permit write operations on ranged
objects only when the subject effective level equals the object low
level. Introduce new subject attributes "mlsfilewriteranged" and
"mlsnetwriteranged" that give these privileged subjects the right to use
the old ranged-write behavior.

I haven't prepared a patch yet to provide interfaces for setting the new
attributes - that's easy to do once we've identified subjects that need
these privileges.

The patches are very lightly tested (the policy builds, and permits
unlabeled ssh login in enforcing mode) -- can the people doing labeled
networking tests please test it?

-Klaus

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH RFC 1/2] stricter MLS policy constraints

[Klaus Weidner]

Rename the "mlsfilewriteinrange" attribute with no functional changes.
The reason for the renaming is that this is an object attribute (like
"mlstrustedobject"), and it's confusing to use the naming scheme usually
used for subject attributes for it. It's currently only used for the
printer device object.

See 0/2 message for additional explanations.

Signed-off-by: Klaus Weidner <klaus@atsec.com>

 policy/mls                       |    2 +-
 policy/modules/kernel/devices.te |    2 +-
 policy/modules/kernel/mls.if     |    8 ++++----
 policy/modules/kernel/mls.te     |    4 +++-
 4 files changed, 9 insertions(+), 7 deletions(-)

diff -ur serefpolicy-2.4.6.rh/policy/mls serefpolicy-2.4.6.cleanup/policy/mls
--- serefpolicy-2.4.6.rh/policy/mls	2006-11-29 11:04:48.000000000 -0600
+++ serefpolicy-2.4.6.cleanup/policy/mls	2006-12-06 03:26:47.000000000 -0600
@@ -89,8 +89,8 @@
 mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
 	(( l1 eq l2 ) or
 	 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
-	 (( t2 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
 	 ( t1 == mlsfilewrite ) or
+	 (( t2 == mlsrangedobject ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
 	 ( t2 == mlstrustedobject ));
 
 mlsconstrain dir { add_name remove_name reparent rmdir }
diff -ur serefpolicy-2.4.6.rh/policy/modules/kernel/devices.te serefpolicy-2.4.6.cleanup/policy/modules/kernel/devices.te
--- serefpolicy-2.4.6.rh/policy/modules/kernel/devices.te	2006-12-06 03:11:03.000000000 -0600
+++ serefpolicy-2.4.6.cleanup/policy/modules/kernel/devices.te	2006-12-06 03:28:00.000000000 -0600
@@ -125,7 +125,7 @@
 
 type printer_device_t;
 dev_node(printer_device_t)
-mls_file_write_within_range(printer_device_t)
+mls_file_writable_within_range(printer_device_t)
 
 #
 # random_device_t is the type of /dev/random
diff -ur serefpolicy-2.4.6.rh/policy/modules/kernel/mls.if serefpolicy-2.4.6.cleanup/policy/modules/kernel/mls.if
--- serefpolicy-2.4.6.rh/policy/modules/kernel/mls.if	2006-11-29 11:04:51.000000000 -0600
+++ serefpolicy-2.4.6.cleanup/policy/modules/kernel/mls.if	2006-12-06 03:28:11.000000000 -0600
@@ -100,16 +100,16 @@
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Object domain granting ranged access.
 ##	</summary>
 ## </param>
 #
-interface(`mls_file_write_within_range',`
+interface(`mls_file_writable_within_range',`
 	gen_require(`
-		attribute mlsfilewriteinrange;
+		attribute mlsrangedobject;
 	')
 
-	typeattribute $1 mlsfilewriteinrange;
+	typeattribute $1 mlsrangedobject;
 ')
 
 ########################################
diff -ur serefpolicy-2.4.6.rh/policy/modules/kernel/mls.te serefpolicy-2.4.6.cleanup/policy/modules/kernel/mls.te
--- serefpolicy-2.4.6.rh/policy/modules/kernel/mls.te	2006-11-29 11:04:51.000000000 -0600
+++ serefpolicy-2.4.6.cleanup/policy/modules/kernel/mls.te	2006-12-06 03:33:19.000000000 -0600
@@ -6,11 +6,11 @@
 # Declarations
 #
 
+# Subject attributes that give MLS override capabilities
 attribute mlsfileread;
 attribute mlsfilereadtoclr;
 attribute mlsfilewrite;
 attribute mlsfilewritetoclr;
-attribute mlsfilewriteinrange;
 attribute mlsfileupgrade;
 attribute mlsfiledowngrade;
 
@@ -43,6 +43,8 @@
 attribute mlsxwinwritecolormap;
 attribute mlsxwinwritexinput;
 
+# Object attributes that allow MLS overrides for access by all subjects
+attribute mlsrangedobject;
 attribute mlstrustedobject;
 
 attribute privrangetrans;

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH RFC 0/2] stricter MLS policy constraints

[Klaus Weidner]

For untrusted subjects, permit write operations on ranged
objects only when the subject effective level equals the object low
level. Introduce new subject attributes "mlsfilewriteranged" and
"mlsnetwriteranged" that give these privileged subjects the right to use
the old ranged-write behavior.

Please see 0/2 message for additional explanations.

Signed-off-by: Klaus Weidner <klaus@atsec.com>

 policy/mls                   |   13 +++++++++----
 policy/modules/kernel/mls.te |    2 ++
 2 files changed, 11 insertions(+), 4 deletions(-)

diff -ur serefpolicy-2.4.6.cleanup/policy/mls serefpolicy-2.4.6.kw/policy/mls
--- serefpolicy-2.4.6.cleanup/policy/mls	2006-12-06 03:26:47.000000000 -0600
+++ serefpolicy-2.4.6.kw/policy/mls	2006-12-06 03:40:25.000000000 -0600
@@ -93,8 +93,10 @@
 	 (( t2 == mlsrangedobject ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
 	 ( t2 == mlstrustedobject ));
 
+# Directory "write" ops
 mlsconstrain dir { add_name remove_name reparent rmdir }
-	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	(( l1 eq l2 ) or
+	 (( t1 == mlsfilewriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsfilewrite ) or
 	 ( t2 == mlstrustedobject ));
@@ -178,7 +180,8 @@
 
 # the socket "write" ops
 mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
-	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	(( l1 eq l2 ) or 
+	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsnetwrite ));
 
@@ -274,7 +277,8 @@
 
 # the netif/node "write" ops (implicit single level socket doing the write)
 mlsconstrain { netif node } { tcp_send udp_send rawip_send }
-	(( l1 dom l2 ) and ( l1 domby h2 ));
+	(( l1 eq l2 ) or
+	(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )));
 
 # these access vectors have no MLS restrictions
 # node enforce_dest
@@ -581,7 +585,8 @@
 	 ( t2 == unlabeled_t ));
 
 mlsconstrain association { sendto }
-	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	(( l1 eq l2 ) or
+	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 	 ( t2 == unlabeled_t ));
 
 mlsconstrain association { polmatch }
diff -ur serefpolicy-2.4.6.cleanup/policy/modules/kernel/mls.te serefpolicy-2.4.6.kw/policy/modules/kernel/mls.te
--- serefpolicy-2.4.6.cleanup/policy/modules/kernel/mls.te	2006-12-06 03:34:04.000000000 -0600
+++ serefpolicy-2.4.6.kw/policy/modules/kernel/mls.te	2006-12-06 03:34:54.000000000 -0600
@@ -11,6 +11,7 @@
 attribute mlsfilereadtoclr;
 attribute mlsfilewrite;
 attribute mlsfilewritetoclr;
+attribute mlsfilewriteranged;
 attribute mlsfileupgrade;
 attribute mlsfiledowngrade;
 
@@ -18,6 +19,7 @@
 attribute mlsnetreadtoclr;
 attribute mlsnetwrite;
 attribute mlsnetwritetoclr;
+attribute mlsnetwriteranged;
 attribute mlsnetupgrade;
 attribute mlsnetdowngrade;
 attribute mlsnetrecvall;

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH RFC 2/2] stricter MLS policy constraints

[Klaus Weidner]

[ repost with correct subject ]

For untrusted subjects, permit write operations on ranged
objects only when the subject effective level equals the object low
level. Introduce new subject attributes "mlsfilewriteranged" and
"mlsnetwriteranged" that give these privileged subjects the right to use
the old ranged-write behavior.

Please see 0/2 message for additional explanations.

Signed-off-by: Klaus Weidner <klaus@atsec.com>

 policy/mls                   |   13 +++++++++----
 policy/modules/kernel/mls.te |    2 ++
 2 files changed, 11 insertions(+), 4 deletions(-)

diff -ur serefpolicy-2.4.6.cleanup/policy/mls serefpolicy-2.4.6.kw/policy/mls
--- serefpolicy-2.4.6.cleanup/policy/mls	2006-12-06 03:26:47.000000000 -0600
+++ serefpolicy-2.4.6.kw/policy/mls	2006-12-06 03:40:25.000000000 -0600
@@ -93,8 +93,10 @@
 	 (( t2 == mlsrangedobject ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
 	 ( t2 == mlstrustedobject ));
 
+# Directory "write" ops
 mlsconstrain dir { add_name remove_name reparent rmdir }
-	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	(( l1 eq l2 ) or
+	 (( t1 == mlsfilewriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsfilewrite ) or
 	 ( t2 == mlstrustedobject ));
@@ -178,7 +180,8 @@
 
 # the socket "write" ops
 mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
-	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	(( l1 eq l2 ) or 
+	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsnetwrite ));
 
@@ -274,7 +277,8 @@
 
 # the netif/node "write" ops (implicit single level socket doing the write)
 mlsconstrain { netif node } { tcp_send udp_send rawip_send }
-	(( l1 dom l2 ) and ( l1 domby h2 ));
+	(( l1 eq l2 ) or
+	(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )));
 
 # these access vectors have no MLS restrictions
 # node enforce_dest
@@ -581,7 +585,8 @@
 	 ( t2 == unlabeled_t ));
 
 mlsconstrain association { sendto }
-	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	(( l1 eq l2 ) or
+	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 	 ( t2 == unlabeled_t ));
 
 mlsconstrain association { polmatch }
diff -ur serefpolicy-2.4.6.cleanup/policy/modules/kernel/mls.te serefpolicy-2.4.6.kw/policy/modules/kernel/mls.te
--- serefpolicy-2.4.6.cleanup/policy/modules/kernel/mls.te	2006-12-06 03:34:04.000000000 -0600
+++ serefpolicy-2.4.6.kw/policy/modules/kernel/mls.te	2006-12-06 03:34:54.000000000 -0600
@@ -11,6 +11,7 @@
 attribute mlsfilereadtoclr;
 attribute mlsfilewrite;
 attribute mlsfilewritetoclr;
+attribute mlsfilewriteranged;
 attribute mlsfileupgrade;
 attribute mlsfiledowngrade;
 
@@ -18,6 +19,7 @@
 attribute mlsnetreadtoclr;
 attribute mlsnetwrite;
 attribute mlsnetwritetoclr;
+attribute mlsnetwriteranged;
 attribute mlsnetupgrade;
 attribute mlsnetdowngrade;
 attribute mlsnetrecvall;

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH RFC 3/2] stricter MLS policy constraints

[Klaus Weidner]

On Tue, Dec 12, 2006 at 01:28:26AM -0600, Klaus Weidner wrote:
> The following patches attempt to get the system closer to the
> Bell-LaPadula model expressed in the LSPP by permitting only "write
> equal" for unprivileged subjects.

A related but separate issue is that the policy treated accept() as a
read operation, and connect() as a write operation. That's not really
appropriate since both normally return bidirectional file descriptors,
equivalent to open(..., O_RDWR). The MLS check should require equal
levels for unprivileged subjects, or read *and* write overrides.

(Yes, there's a separate constraint for recvfrom, but it simplifies
analysis if open file descriptors are already sanitized to avoid the need
for security enforcing checks on read/write.)

Signed-off-by: Klaus Weidner <klaus@atsec.com>

 policy/mls |   16 ++++++++++++++--
 1 files changed, 14 insertions(+), 2 deletions(-)

diff -ur serefpolicy-2.4.6.kw2/policy/mls serefpolicy-2.4.6.kw3/policy/mls
--- serefpolicy-2.4.6.kw2/policy/mls	2006-12-06 07:20:21.000000000 -0600
+++ serefpolicy-2.4.6.kw3/policy/mls	2006-12-06 07:29:35.000000000 -0600
@@ -167,8 +167,20 @@
 mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
 	( h1 dom h2 );
 
+# the socket "read+write" ops
+# (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR),
+# require equal levels for unprivileged subjects, or read *and* write overrides)
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect }
+	(( l1 eq l2 ) or
+	 (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+	   ( t1 == mlsnetread )) and
+	  ((( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+	   (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	   ( t1 == mlsnetwrite ))));
+
+
 # the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen getopt recv_msg }
 	(( l1 dom l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsnetread ));
@@ -179,7 +191,7 @@
 	 ( t1 == mlsnetread ));
 
 # the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom setopt shutdown }
 	(( l1 eq l2 ) or 
 	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH RFC 0/2] stricter MLS policy constraints

[Paul Moore]

Klaus Weidner wrote:
> The patches are very lightly tested (the policy builds, and permits
> unlabeled ssh login in enforcing mode) -- can the people doing labeled
> networking tests please test it?

I did a quick test using the refpolicy from SVN and your patches; the good news
is that simple tests using netcat worked as expected and there did not appear to
be any regressions.

The bad news is that I realized we never added NetLabel receive permissions to
any of the application domains (try to telnet into a machine with NetLabel);
only the user domains have the NetLabel receive permissions.  As a result I
wasn't able to try any more elaborate tests without fixing the policy.  It will
probably take a little while to get a patch out to address this as there are a
lot of domains which need to be changed; that said I'm probably about a third of
the way through at this point.

In case anyone is interested, the policy changes boil down to the following:

 ifdef(`enable_mls',`
        corenet_tcp_recv_netlabel(app_domain_t)
        corenet_udp_recv_netlabel(app_domain_t)
 ')

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH RFC 0/2] stricter MLS policy constraints

[Klaus Weidner]

On Wed, Dec 13, 2006 at 03:50:59PM -0500, Paul Moore wrote:
> I did a quick test using the refpolicy from SVN and your patches; the good news
> is that simple tests using netcat worked as expected and there did not appear to
> be any regressions.

Glad to hear that, thanks for testing!

> The bad news is that I realized we never added NetLabel receive permissions to
> any of the application domains (try to telnet into a machine with NetLabel);
> only the user domains have the NetLabel receive permissions.  As a result I
> wasn't able to try any more elaborate tests without fixing the policy.  It will
> probably take a little while to get a patch out to address this as there are a
> lot of domains which need to be changed; that said I'm probably about a third of
> the way through at this point.
> 
> In case anyone is interested, the policy changes boil down to the following:
> 
>  ifdef(`enable_mls',`
>         corenet_tcp_recv_netlabel(app_domain_t)
>         corenet_udp_recv_netlabel(app_domain_t)
>  ')

Have you considered adding those lines to the existing interfaces in
policy/modules/kernel/corenetwork.if.in instead? For example, telnetd
currently uses corenet_tcp_sendrecv_all_if(telnetd_t), and you could make
that interface provide the needed netlabel rights also.

Do we need something equivalent for labeled IPSEC?

-Klaus

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH RFC 0/2] stricter MLS policy constraints

[Paul Moore]

Klaus Weidner wrote:
> On Wed, Dec 13, 2006 at 03:50:59PM -0500, Paul Moore wrote:
> 
>>The bad news is that I realized we never added NetLabel receive permissions to
>>any of the application domains (try to telnet into a machine with NetLabel);
>>only the user domains have the NetLabel receive permissions.  As a result I
>>wasn't able to try any more elaborate tests without fixing the policy.  It will
>>probably take a little while to get a patch out to address this as there are a
>>lot of domains which need to be changed; that said I'm probably about a third of
>>the way through at this point.
>>
>>In case anyone is interested, the policy changes boil down to the following:
>>
>> ifdef(`enable_mls',`
>>        corenet_tcp_recv_netlabel(app_domain_t)
>>        corenet_udp_recv_netlabel(app_domain_t)
>> ')
> 
> 
> Have you considered adding those lines to the existing interfaces in
> policy/modules/kernel/corenetwork.if.in instead? For example, telnetd
> currently uses corenet_tcp_sendrecv_all_if(telnetd_t), and you could make
> that interface provide the needed netlabel rights also.

I did consider doing something similar but I figured sticking with the existing
refpolicy convention was the going to be the path of least resistance and in the
"userdom_basic_networking_template" code the corenet_* NetLabel permissions are
kept separate from the rest of the corenet_* permissions.  It makes more sense
conceptually too I think.

I added Chris to the CC line as he might be able to provide some thoughts on
what he would like to see.

> Do we need something equivalent for labeled IPSEC?

I would think so, but I believe Joy said she is working on that; however, the
policy for NetLabel and labeled IPsec is radically different so labeled IPsec
may have a different approach.

With NetLabel you only need a single allow rule for each domain wishing to
receive labeled network traffic:

 allow my_domain_t unlabeled_t:{ tcp_socket udp_socket } recvfrom;

With labeled IPsec it's a bit more involved.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH RFC 0/2] stricter MLS policy constraints

[Joy Latten]

On Wed, 2006-12-13 at 16:50 -0500, Paul Moore wrote:
> Klaus Weidner wrote:
> > On Wed, Dec 13, 2006 at 03:50:59PM -0500, Paul Moore wrote:
> > 
> >>The bad news is that I realized we never added NetLabel receive permissions to
> >>any of the application domains (try to telnet into a machine with NetLabel);
> >>only the user domains have the NetLabel receive permissions.  As a result I
> >>wasn't able to try any more elaborate tests without fixing the policy.  It will
> >>probably take a little while to get a patch out to address this as there are a
> >>lot of domains which need to be changed; that said I'm probably about a third of
> >>the way through at this point.
> >>
> >>In case anyone is interested, the policy changes boil down to the following:
> >>
> >> ifdef(`enable_mls',`
> >>        corenet_tcp_recv_netlabel(app_domain_t)
> >>        corenet_udp_recv_netlabel(app_domain_t)
> >> ')
> > 
> > 
> > Have you considered adding those lines to the existing interfaces in
> > policy/modules/kernel/corenetwork.if.in instead? For example, telnetd
> > currently uses corenet_tcp_sendrecv_all_if(telnetd_t), and you could make
> > that interface provide the needed netlabel rights also.
> 
> I did consider doing something similar but I figured sticking with the existing
> refpolicy convention was the going to be the path of least resistance and in the
> "userdom_basic_networking_template" code the corenet_* NetLabel permissions are
> kept separate from the rest of the corenet_* permissions.  It makes more sense
> conceptually too I think.
> 
> I added Chris to the CC line as he might be able to provide some thoughts on
> what he would like to see.
> 
> > Do we need something equivalent for labeled IPSEC?
> 
> I would think so, but I believe Joy said she is working on that; however, the
> policy for NetLabel and labeled IPsec is radically different so labeled IPsec
> may have a different approach.
> 
> With NetLabel you only need a single allow rule for each domain wishing to
> receive labeled network traffic:
> 
>  allow my_domain_t unlabeled_t:{ tcp_socket udp_socket } recvfrom;
> 
> With labeled IPsec it's a bit more involved.
> 
Yes, it was a bit more involved for labeled IPsec. 
I have completed the policy changes required for labeled ipsec 
and it appears to be working ok so far. I will send out the
patch sometime today. I had to touch a lot of files... so it
took me a while. 

Klaus, I am in the process of patching my mls policy with
your changes and running a simple test to ensure all the
changes are working. I hope to run a stress test on 57
with the policy changes.

Regards,
Joy



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH RFC 1/2] stricter MLS policy constraints

[Christopher J. PeBenito]

On Tue, 2006-12-12 at 01:34 -0600, Klaus Weidner wrote: 
> Rename the "mlsfilewriteinrange" attribute with no functional changes.
> The reason for the renaming is that this is an object attribute (like
> "mlstrustedobject"), and it's confusing to use the naming scheme usually
> used for subject attributes for it. It's currently only used for the
> printer device object.
> 
> See 0/2 message for additional explanations.

Sorry for the late response, but its taken some time to clear out the
backlog while I was out of the office.  This patch cannot be applied
upstream because there is no compatibility for renaming the attribute.
Since modules are statically compiled, anything that happens to use this
attribute will fail to link.  The other patches seemed ok.

> -attribute mlsfilewriteinrange;
> +attribute mlsrangedobject;

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH RFC 0/2] stricter MLS policy constraints

[Christopher J. PeBenito]

On Wed, 2006-12-13 at 16:50 -0500, Paul Moore wrote:
> Klaus Weidner wrote:
> > On Wed, Dec 13, 2006 at 03:50:59PM -0500, Paul Moore wrote:
> > 
> >>The bad news is that I realized we never added NetLabel receive permissions to
> >>any of the application domains (try to telnet into a machine with NetLabel);
> >>only the user domains have the NetLabel receive permissions.  As a result I
> >>wasn't able to try any more elaborate tests without fixing the policy.  It will
> >>probably take a little while to get a patch out to address this as there are a
> >>lot of domains which need to be changed; that said I'm probably about a third of
> >>the way through at this point.
> >>
> >>In case anyone is interested, the policy changes boil down to the following:
> >>
> >> ifdef(`enable_mls',`
> >>        corenet_tcp_recv_netlabel(app_domain_t)
> >>        corenet_udp_recv_netlabel(app_domain_t)
> >> ')
> > 
> > 
> > Have you considered adding those lines to the existing interfaces in
> > policy/modules/kernel/corenetwork.if.in instead? For example, telnetd
> > currently uses corenet_tcp_sendrecv_all_if(telnetd_t), and you could make
> > that interface provide the needed netlabel rights also.
> 
> I did consider doing something similar but I figured sticking with the existing
> refpolicy convention was the going to be the path of least resistance and in the
> "userdom_basic_networking_template" code the corenet_* NetLabel permissions are
> kept separate from the rest of the corenet_* permissions.  It makes more sense
> conceptually too I think.

The thing is that we don't want to add unrelated permissions to
interfaces.  If you add extra rules, then the interface has side
effects, which is something we're trying to avoid in policy.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH RFC 1/2] stricter MLS policy constraints

[Klaus Weidner]

On Mon, Jan 08, 2007 at 10:47:41AM -0500, Christopher J. PeBenito wrote:
> On Tue, 2006-12-12 at 01:34 -0600, Klaus Weidner wrote: 
> > Rename the "mlsfilewriteinrange" attribute with no functional changes.
> > The reason for the renaming is that this is an object attribute (like
> > "mlstrustedobject"), and it's confusing to use the naming scheme usually
> > used for subject attributes for it. It's currently only used for the
> > printer device object.
> > 
> > See 0/2 message for additional explanations.
> 
> Sorry for the late response, but its taken some time to clear out the
> backlog while I was out of the office.  This patch cannot be applied
> upstream because there is no compatibility for renaming the attribute.
> Since modules are statically compiled, anything that happens to use this
> attribute will fail to link.  The other patches seemed ok.
> 
> > -attribute mlsfilewriteinrange;
> > +attribute mlsrangedobject;

Is this really a big problem? If I remember correctly the attribute had
been introduced specifically to support the ranged printer device type
needed for Matt's labeled Cups extensions, and it's only used in a single
place in the shipped policy (which the patch updated). 

Of course I don't want to cause trouble for people using the refpolicy
with out-of-tree modules, is there a way to do the rename using an alias
interface or deprecation warning to give people time to switch? I think
it would be bad to be stuck with historically grown interfaces forever,
especially if the feature was just added recently.

-Klaus

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.