Re: selinux and sctp

Re: selinux and sctp

[Daniel J Walsh]

On 05/24/2009 06:00 AM, Nigel Rumens wrote:
> Hi,
>
> Does selinux understand sctp?
>
> When I run (for example)
>
> sctp_darn -H 0 -P 9876 -l
>
> It results in an avc denial message which tells me the target object is
> of type None[rawip_socket]
>
> Also semanage port -l shows only udp and tcp
>
> Machine tested on was F11 (fully updated) - I also tried it F10 with the
> same results
>
> Thanks
> wooky
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Well it treats it as a rawip, I am not that familiar with the sctp 
protocol, if you believe we should do more to handle it you probably 
need to discuss with the SELinux developers on the SELinux developers 
mail list

selinux@tycho.nsa.gov

http://www.nsa.gov/research/selinux/subscribe.shtml

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and sctp

[Nigel Rumens]

Thanks. I will do just that.

In the meantime though would it be possible to create a local policy 
module to allow this access? (with audit2allow?) Maybe even limiting it 
to just a particular set of processes by creating a new label and 
labeling the relevant executables?

Feel free to call me an idiot if you think I am being one. I am pretty 
new to selinux.

On 05/25/2009 12:16 PM, Daniel J Walsh wrote:
> On 05/24/2009 06:00 AM, Nigel Rumens wrote:
>> Hi,
>>
>> Does selinux understand sctp?
>>
>> When I run (for example)
>>
>> sctp_darn -H 0 -P 9876 -l
>>
>> It results in an avc denial message which tells me the target object is
>> of type None[rawip_socket]
>>
>> Also semanage port -l shows only udp and tcp
>>
>> Machine tested on was F11 (fully updated) - I also tried it F10 with the
>> same results
>>
>> Thanks
>> wooky
>>
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Well it treats it as a rawip, I am not that familiar with the sctp 
> protocol, if you believe we should do more to handle it you probably 
> need to discuss with the SELinux developers on the SELinux developers 
> mail list
>
> selinux@tycho.nsa.gov
>
> http://www.nsa.gov/research/selinux/subscribe.shtml


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and sctp

[Mark Webb]

You are not an idiot at all.  I would like to see the policy posted
here and others can work to refine it.  You might get a more relaxed
policy using audit2allow than you would like, but its certainly a good
start.

I would suggest using SLIDE from Tresys and develop a policy from
scratch to better learn policy development.

...just my 2 cents
Mark


On Mon, May 25, 2009 at 9:01 AM, Nigel Rumens <wooky@btconnect.com> wrote:
> Thanks. I will do just that.
>
> In the meantime though would it be possible to create a local policy module
> to allow this access? (with audit2allow?) Maybe even limiting it to just a
> particular set of processes by creating a new label and labeling the
> relevant executables?
>
> Feel free to call me an idiot if you think I am being one. I am pretty new
> to selinux.
>
> On 05/25/2009 12:16 PM, Daniel J Walsh wrote:
>>
>> On 05/24/2009 06:00 AM, Nigel Rumens wrote:
>>>
>>> Hi,
>>>
>>> Does selinux understand sctp?
>>>
>>> When I run (for example)
>>>
>>> sctp_darn -H 0 -P 9876 -l
>>>
>>> It results in an avc denial message which tells me the target object is
>>> of type None[rawip_socket]
>>>
>>> Also semanage port -l shows only udp and tcp
>>>
>>> Machine tested on was F11 (fully updated) - I also tried it F10 with the
>>> same results
>>>
>>> Thanks
>>> wooky
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>> Well it treats it as a rawip, I am not that familiar with the sctp
>> protocol, if you believe we should do more to handle it you probably need to
>> discuss with the SELinux developers on the SELinux developers mail list
>>
>> selinux@tycho.nsa.gov
>>
>> http://www.nsa.gov/research/selinux/subscribe.shtml
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and sctp

[Daniel J Walsh]

On 05/25/2009 09:01 AM, Nigel Rumens wrote:
> Thanks. I will do just that.
>
> In the meantime though would it be possible to create a local policy
> module to allow this access? (with audit2allow?) Maybe even limiting it
> to just a particular set of processes by creating a new label and
> labeling the relevant executables?
>
> Feel free to call me an idiot if you think I am being one. I am pretty
> new to selinux.
>
> On 05/25/2009 12:16 PM, Daniel J Walsh wrote:
>> On 05/24/2009 06:00 AM, Nigel Rumens wrote:
>>> Hi,
>>>
>>> Does selinux understand sctp?
>>>
>>> When I run (for example)
>>>
>>> sctp_darn -H 0 -P 9876 -l
>>>
>>> It results in an avc denial message which tells me the target object is
>>> of type None[rawip_socket]
>>>
>>> Also semanage port -l shows only udp and tcp
>>>
>>> Machine tested on was F11 (fully updated) - I also tried it F10 with the
>>> same results
>>>
>>> Thanks
>>> wooky
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Well it treats it as a rawip, I am not that familiar with the sctp
>> protocol, if you believe we should do more to handle it you probably
>> need to discuss with the SELinux developers on the SELinux developers
>> mail list
>>
>> selinux@tycho.nsa.gov
>>
>> http://www.nsa.gov/research/selinux/subscribe.shtml
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
Yes you can develop a policy for this tool using rawip sockets.  You use 
either slide or system-config-selinux/polgengui to build a policy for 
it.  With SELinux you can write policy for just about any process on the 
system.  The real problem is whether or not you can define your security 
goals, and whether or not the security goals make your system more 
secure.   Writing policy for emacs and saying it has to be able to 
read/write every file on the system, does not make sense to me.  Since 
the security goal is too broad.




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and sctp

[Stephen Smalley]

On Mon, 2009-05-25 at 14:01 +0100, Nigel Rumens wrote:
> Thanks. I will do just that.
> 
> In the meantime though would it be possible to create a local policy 
> module to allow this access? (with audit2allow?) Maybe even limiting it 
> to just a particular set of processes by creating a new label and 
> labeling the relevant executables?

Yes, you should be able to do that.

Prior discussions of sctp and selinux:
http://marc.info/?l=fedora-selinux-list&w=2&r=1&s=sctp&q=b

I don't see sctp support on the selinux kernel todo list.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and sctp

[Paul Moore]

On Monday 25 May 2009 07:16:06 am Daniel J Walsh wrote:
> On 05/24/2009 06:00 AM, Nigel Rumens wrote:
> > Hi,
> >
> > Does selinux understand sctp?
> >
> > When I run (for example)
> >
> > sctp_darn -H 0 -P 9876 -l
> >
> > It results in an avc denial message which tells me the target object is
> > of type None[rawip_socket]
> >
> > Also semanage port -l shows only udp and tcp
> >
> > Machine tested on was F11 (fully updated) - I also tried it F10 with the
> > same results

Hi Nigel,

Can you send us the AVC denial messages?  If you are running a recent kernel 
(F11/Rawhide should qualify and F10 will likely as well) there should only be 
a handful of areas where you should be hitting transport protocol specific 
code that isn't SCTP aware in the kernel, it would be nice to verify that so 
we could better identify what work needs to be done.

-- 
paul moore
linux @ hp


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and sctp

[Stephen Smalley]

On Tue, 2009-05-26 at 18:32 -0400, Paul Moore wrote:
> On Monday 25 May 2009 07:16:06 am Daniel J Walsh wrote:
> > On 05/24/2009 06:00 AM, Nigel Rumens wrote:
> > > Hi,
> > >
> > > Does selinux understand sctp?
> > >
> > > When I run (for example)
> > >
> > > sctp_darn -H 0 -P 9876 -l
> > >
> > > It results in an avc denial message which tells me the target object is
> > > of type None[rawip_socket]
> > >
> > > Also semanage port -l shows only udp and tcp
> > >
> > > Machine tested on was F11 (fully updated) - I also tried it F10 with the
> > > same results
> 
> Hi Nigel,
> 
> Can you send us the AVC denial messages?  If you are running a recent kernel 
> (F11/Rawhide should qualify and F10 will likely as well) there should only be 
> a handful of areas where you should be hitting transport protocol specific 
> code that isn't SCTP aware in the kernel, it would be nice to verify that so 
> we could better identify what work needs to be done.

- Need to define a sctp_socket class in the policy and kernel (presently
they get mapped to rawip_socket).
- Need to extend the node_bind/name_bind checking to handle multiple
address binding for SCTP.
- Need to extend the name_connect checking to support SCTP.
- Need to add getpeersec support (also missing for DCCP).
- Need to extend selinux_parse_skb* to handle it.
- Need to update libsepol/libsemanage, checkpolicy, and semanage to
support it.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and sctp

[James Morris]

On Wed, 27 May 2009, Stephen Smalley wrote:

> - Need to define a sctp_socket class in the policy and kernel (presently
> they get mapped to rawip_socket).
> - Need to extend the node_bind/name_bind checking to handle multiple
> address binding for SCTP.
> - Need to extend the name_connect checking to support SCTP.
> - Need to add getpeersec support (also missing for DCCP).
> - Need to extend selinux_parse_skb* to handle it.
> - Need to update libsepol/libsemanage, checkpolicy, and semanage to
> support it.

Added to the todo list 
http://selinuxproject.org/page/Kernel_Development#To_Do_List

-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and sctp

[Nigel Rumens]

First let me apologise for my tardiness in replying but I am ill at the 
moment. But it was really nice to get see all the helpful replies in my 
mailbox when I finally got around to looking at it. Thanks everyone.

As soon as I manage to create something I will certianly post it.

On 05/26/2009 01:18 AM, Mark Webb wrote:
> You are not an idiot at all.  I would like to see the policy posted
> here and others can work to refine it.  You might get a more relaxed
> policy using audit2allow than you would like, but its certainly a good
> start.
>
> I would suggest using SLIDE from Tresys and develop a policy from
> scratch to better learn policy development.
>
> ...just my 2 cents
> Mark
>
>
> On Mon, May 25, 2009 at 9:01 AM, Nigel Rumens<wooky@btconnect.com>  wrote:
>    
>> Thanks. I will do just that.
>>
>> In the meantime though would it be possible to create a local policy module
>> to allow this access? (with audit2allow?) Maybe even limiting it to just a
>> particular set of processes by creating a new label and labeling the
>> relevant executables?
>>
>> Feel free to call me an idiot if you think I am being one. I am pretty new
>> to selinux.
>>
>> On 05/25/2009 12:16 PM, Daniel J Walsh wrote:
>>      
>>> On 05/24/2009 06:00 AM, Nigel Rumens wrote:
>>>        
>>>> Hi,
>>>>
>>>> Does selinux understand sctp?
>>>>
>>>> When I run (for example)
>>>>
>>>> sctp_darn -H 0 -P 9876 -l
>>>>
>>>> It results in an avc denial message which tells me the target object is
>>>> of type None[rawip_socket]
>>>>
>>>> Also semanage port -l shows only udp and tcp
>>>>
>>>> Machine tested on was F11 (fully updated) - I also tried it F10 with the
>>>> same results
>>>>
>>>> Thanks
>>>> wooky
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>          
>>> Well it treats it as a rawip, I am not that familiar with the sctp
>>> protocol, if you believe we should do more to handle it you probably need to
>>> discuss with the SELinux developers on the SELinux developers mail list
>>>
>>> selinux@tycho.nsa.gov
>>>
>>> http://www.nsa.gov/research/selinux/subscribe.shtml
>>>        
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>> with
>> the words "unsubscribe selinux" without quotes as the message.
>>
>>      


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and sctp

[Nigel Rumens]

[-- Attachment #1: Type: text/plain, Size: 3412 bytes --]

On 05/26/2009 11:32 PM, Paul Moore wrote:
> On Monday 25 May 2009 07:16:06 am Daniel J Walsh wrote:
>    
>> On 05/24/2009 06:00 AM, Nigel Rumens wrote:
>>      
>>> Hi,
>>>
>>> Does selinux understand sctp?
>>>
>>> When I run (for example)
>>>
>>> sctp_darn -H 0 -P 9876 -l
>>>
>>> It results in an avc denial message which tells me the target object is
>>> of type None[rawip_socket]
>>>
>>> Also semanage port -l shows only udp and tcp
>>>
>>> Machine tested on was F11 (fully updated) - I also tried it F10 with the
>>> same results
>>>        
>
> Hi Nigel,
>
> Can you send us the AVC denial messages?  If you are running a recent kernel
> (F11/Rawhide should qualify and F10 will likely as well) there should only be
> a handful of areas where you should be hitting transport protocol specific
> code that isn't SCTP aware in the kernel, it would be nice to verify that so
> we could better identify what work needs to be done.
>
>    

Certainly - here you are.

Summary
SELinux is preventing the sctp_darn (unconfined_t) from binding to port 
9876.
Detailed Description
SELinux has denied the sctp_darn from binding to a network port 9876 
which does not have an SELinux type associated with it. If sctp_darn is 
supposed to be allowed to listen on this port, you can use the semanage 
command to add this port to a port type that unconfined_t can bind to. 
semanage port -l will list all port types. Please file a bug report 
against the selinux-policy package. If sctp_darn is not supposed to bind 
to this port, this could signal a intrusion attempt. If this system is 
running as an NIS Client, turning on the allow_ypbind boolean, may fix 
the problem. setsebool -P allow_ypbind=1.
Allowing Access
If you want to allow sctp_darn to bind to this port semanage port -a -t 
PORT_TYPE -p PROTOCOL 9876 Where PORT_TYPE is a type that unconfined_t 
can bind and PROTOCOL is udp or tcp.
Additional Information
Source Context:      unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Target Context:      system_u:object_r:port_t:s0
Target Objects:      None [ rawip_socket ]
Source:      sctp_darn
Source Path:      /usr/bin/sctp_darn
Port:      9876
Host:      bear.cwb.uk
Source RPM Packages:      lksctp-tools-1.0.10-1.fc11
Target RPM Packages:
Policy RPM:      selinux-policy-3.6.12-34.fc11
Selinux Enabled:      True
Policy Type:      targeted
MLS Enabled:      True
Enforcing Mode:      Enforcing
Plugin Name:      bind_ports
Host Name:      bear.cwb.uk
Platform:      Linux bear.cwb.uk 2.6.29.3-140.fc11.x86_64 #1 SMP Tue May 
12 10:44:27 EDT 2009 x86_64 x86_64
Alert Count:      1
First Seen:      Fri May 22 07:46:59 2009
Last Seen:      Fri May 22 07:46:59 2009
Local ID:      73919917-a2a5-409c-b29d-1eb84b1acc04
Line Numbers:

Raw Audit Messages :

node=bear.cwb.uk type=AVC msg=audit(1242974819.377:32014): avc: denied { 
name_bind } for pid=14773 comm="sctp_darn" src=9876 
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:port_t:s0 tclass=rawip_socket
node=bear.cwb.uk type=SYSCALL msg=audit(1242974819.377:32014): 
arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fff08b0bdd0 a2=10 
a3=7fff08b0bdc0 items=0 ppid=14732 pid=14773 auid=500 uid=500 gid=500 
euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts2 ses=51 
comm="sctp_darn" exe="/usr/bin/sctp_darn" 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

[-- Attachment #2: Type: text/html, Size: 4400 bytes --]

Re: selinux and sctp

[Paul Moore]

On Wednesday 27 May 2009 12:39:55 pm Nigel Rumens wrote:
> On 05/26/2009 11:32 PM, Paul Moore wrote:
> > Hi Nigel,
> >
> > Can you send us the AVC denial messages?  If you are running a recent
> > kernel (F11/Rawhide should qualify and F10 will likely as well) there
> > should only be a handful of areas where you should be hitting transport
> > protocol specific code that isn't SCTP aware in the kernel, it would be
> > nice to verify that so we could better identify what work needs to be
> > done.
>
> Certainly - here you are.

...

> Raw Audit Messages :
>
> node=bear.cwb.uk type=AVC msg=audit(1242974819.377:32014): avc: denied {
> name_bind } for pid=14773 comm="sctp_darn" src=9876
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:port_t:s0 tclass=rawip_socket
> node=bear.cwb.uk type=SYSCALL msg=audit(1242974819.377:32014):
> arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fff08b0bdd0 a2=10
> a3=7fff08b0bdc0 items=0 ppid=14732 pid=14773 auid=500 uid=500 gid=500
> euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts2 ses=51
> comm="sctp_darn" exe="/usr/bin/sctp_darn"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Thanks!

-- 
paul moore
linux @ hp


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.