[refpolicy] MLS ping?

[refpolicy] MLS ping?

[Paul Clark]

With a modified MLS policy (described below):
I can connect from SELinux (Fedora 13) to other systems.
But, I cannot ping from other systems to SELinux.

Configuring two interfaces with different MLS labels, I can ping from 
SELinux to other non-SELinux systems on both interfaces, but I cannot 
ping to SELinux on either interface. I can ssh to SELinux on the 
interface labeled s0. (I understand the failure of ssh through the 
interface labeled s1 because sshd is at s0.  Of course, that may not be 
why it is failing).

I have two interfaces configured as follows:

Using semanage:
eth0 = system_u:object_r:netif_t:s0
eth1 = system_u:object_r:netif_t:s1

Using netlabelctl:
interface eth0
   address:0.0.0.0/0
   label: "system_u:object_r:netlabel_peer_t:s0"
interface eth1
   address:0.0.0.0/0
   label: "system_u:object_r:netlabel_peer_t:s1"

I modifed the MLS policy as follows:
   allow kernel_t netif_t : netif egress;
   corenet_inout_generic_if(netlabel_peer_t)
   corenet_inout_generic_node(netlabel_peer_t)
   allow ping_t netlabel_peer_t : peer recv;

The following audit record would indicate that when responding to a ping 
request received on eth1, the kernel is operating at system high and 
therefore cannot write down to eth1.  But that doesn't explain why I can 
ping on eth0 at s0.
type=AVC msg=audit(13330453265.336:92_: avc: denied {egress} for 
saddr=192.168.0.13 daddr=192.168.0.14 netif=eth1 
scontext=system_u:system_r:kernel_t:s15:c0.c1023 
tcontext=system_u:object_r:netif_t:s1 tclass=netif

Any thoughts?

-Paul

[refpolicy] MLS ping?

[Paul Clark]

It turns out that the reason why an SELinux system cannot respond to a 
ping when the MLS policy is enabled, is that the kernel thread that 
responds to the echo request is apparently labeled at system high, and 
therefore cannot do an MLS write-down to lower-level interfaces.  [I 
wonder if ARPs would also fail?]

I got around the ping problem by modifying the mls policy file.  I added
     ( t1 == kernel_t ) or
as the next-to-last line in the mlsconstrain statement that starts as
     mlsconstrain { netif } { egress }

I don't know what the side-effects of this might be.

-Paul

On 3/29/12 1:51 PM, Paul Clark wrote:
> With a modified MLS policy (described below):
> I can connect from SELinux (Fedora 13) to other systems.
> But, I cannot ping from other systems to SELinux.
>
> Configuring two interfaces with different MLS labels, I can ping from 
> SELinux to other non-SELinux systems on both interfaces, but I cannot 
> ping to SELinux on either interface. I can ssh to SELinux on the 
> interface labeled s0. (I understand the failure of ssh through the 
> interface labeled s1 because sshd is at s0.  Of course, that may not 
> be why it is failing).
>
> I have two interfaces configured as follows:
>
> Using semanage:
> eth0 = system_u:object_r:netif_t:s0
> eth1 = system_u:object_r:netif_t:s1
>
> Using netlabelctl:
> interface eth0
>   address:0.0.0.0/0
>   label: "system_u:object_r:netlabel_peer_t:s0"
> interface eth1
>   address:0.0.0.0/0
>   label: "system_u:object_r:netlabel_peer_t:s1"
>
> I modifed the MLS policy as follows:
>   allow kernel_t netif_t : netif egress;
>   corenet_inout_generic_if(netlabel_peer_t)
>   corenet_inout_generic_node(netlabel_peer_t)
>   allow ping_t netlabel_peer_t : peer recv;
>
> The following audit record would indicate that when responding to a 
> ping request received on eth1, the kernel is operating at system high 
> and therefore cannot write down to eth1.  But that doesn't explain why 
> I can ping on eth0 at s0.
> type=AVC msg=audit(13330453265.336:92_: avc: denied {egress} for 
> saddr=192.168.0.13 daddr=192.168.0.14 netif=eth1 
> scontext=system_u:system_r:kernel_t:s15:c0.c1023 
> tcontext=system_u:object_r:netif_t:s1 tclass=netif
>
> Any thoughts?
>
> -Paul
>
> .
>