All of lore.kernel.org
 help / color / mirror / Atom feed
From: Paul Moore <pmoore@redhat.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: netdev@vger.kernel.org, linux-security-module@vger.kernel.org,
	selinux@tycho.nsa.gov, jasowang@redhat.com
Subject: Re: [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices
Date: Thu, 06 Dec 2012 11:56:45 -0500	[thread overview]
Message-ID: <6001427.qD54i2BbtH@sifl> (raw)
In-Reply-To: <20121206161200.GA4340@redhat.com>

On Thursday, December 06, 2012 06:12:00 PM Michael S. Tsirkin wrote:
> On Thu, Dec 06, 2012 at 10:46:11AM -0500, Paul Moore wrote:
> > On Thursday, December 06, 2012 12:33:25 PM Michael S. Tsirkin wrote:
> > > OK so just to verify: this can be used to ensure that qemu
> > > process that has the queue fd can only attach it to
> > > a specific device, right?
> > 
> > Whenever a new queue is created via TUNSETQUEUE/tun_set_queue() the
> > security_tun_dev_create_queue() LSM hook is called.  When SELinux is
> > enabled this hook ends up calling selinux_tun_dev_create_queue() which
> > checks that the calling process (process_t) is allowed to create a new
> > queue on the specified device (tundev_t) .  If you are familiar with
> > SELinux security policy, the allow rule would look like this:
> >
> >   allow process_t tundev_t:tun_socket create_queue;
> > 
> > In practice, if we assume libvirt is creating the TUN device and running
> > with a SELinux label of virtd_t and that QEMU instances are running with
> > a SELinux label of svirt_t then the allow rule would look like this:
> >
> >   allow svirt_t virtd_t:tun_socket create_queue;
> > 
> > There is also the matter of the MLS/MCS constraints providing additional
> > separation but that is another level of detail which I don't believe is
> > important for our discussion.
> 
> Hmm. How do the rules for SETIFF look ATM?
> I am just checking default policy does not let qemu do with
> SETQUEUE something with a device which it can not
> attach to using SETIFF.

The SETQUEUE/tun_socket:create_queue permissions do not yet exist in any 
released SELinux policy as we are just now adding them with this patchset.  
With current policies loaded into a kernel with this patchset applied the 
SETQUEUE/tun_socket:create_queue permission would be treated according to the 
policy's unknown permission setting.

-- 
paul moore
security and virtualization @ redhat


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

  parent reply	other threads:[~2012-12-06 16:57 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-12-05 20:25 [RFC PATCH v2 0/3] Fix some multiqueue TUN problems Paul Moore
2012-12-05 20:26 ` [RFC PATCH v2 1/3] tun: correctly report an error in tun_flow_init() Paul Moore
     [not found]   ` <2215330.qi9iHRh0XG@jason-thinkpad-t430s>
2012-12-06 15:46     ` Paul Moore
2012-12-05 20:26 ` [RFC PATCH v2 2/3] selinux: add the "create_queue" permission to the "tun_socket" class Paul Moore
2012-12-05 20:26 ` [RFC PATCH v2 3/3] tun: fix LSM/SELinux labeling of tun/tap devices Paul Moore
     [not found]   ` <9040763.QsllgCP7TP@jason-thinkpad-t430s>
2012-12-06 15:36     ` Paul Moore
     [not found]   ` <20121206103325.GG10837@redhat.com>
2012-12-06 15:46     ` Paul Moore
     [not found]       ` <20121206161200.GA4340@redhat.com>
2012-12-06 16:56         ` Paul Moore [this message]
     [not found]           ` <20121206205716.GA6576@redhat.com>
2012-12-06 21:09             ` Paul Moore
     [not found]               ` <20121207122516.GA16577@redhat.com>
2012-12-10 17:04                 ` Paul Moore
     [not found]                   ` <20121210172656.GA30775@redhat.com>
2012-12-10 17:33                     ` Paul Moore
     [not found]                       ` <20121210175035.GA31856@redhat.com>
2012-12-10 18:42                         ` Eric Paris
2012-12-10 22:21                           ` Paul Moore
2012-12-10 22:43                         ` Paul Moore
     [not found]   ` <20121212092236.GB4354@redhat.com>
2012-12-12 18:49     ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6001427.qD54i2BbtH@sifl \
    --to=pmoore@redhat.com \
    --cc=jasowang@redhat.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mst@redhat.com \
    --cc=netdev@vger.kernel.org \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.