[GIT] SELinux changes for 2.6.23 (updated)

[GIT] SELinux changes for 2.6.23 (updated)

[James Morris]

This is an updated set of 2.6.23 SELinux changes, rebased & tested against 
current git.  The vmsplice patch has been dropped from this and will be 
resubmitted via Jens.  Also added an ack from Chris Wright for the mmap 
null dereference hooks (which I'd forgotten to add to my tree some time 
ago).

Please pull.


The following changes since commit 4eb6bf6bfb580afaf1e1a1d30cba17a078530cf4:
  Alan Cox (1):
        lots-of-architectures: enable arbitary speed tty support

are found in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6.git#for-linus

Adrian Bunk (1):
      security: unexport mmap_min_addr

Christopher J. PeBenito (4):
      selinux: add support for querying object classes and permissions from the running policy
      selinux: rename sel_remove_bools() for more general usage.
      selinux: change sel_make_dir() to specify inode counter.
      selinux: add selinuxfs structure for object class discovery

Eric Paris (2):
      selinux: introduce schedule points in policydb_destroy()
      security: Protection for exploiting null dereference using mmap

Paul Moore (1):
      SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel

Stephen Smalley (1):
      SELinux: allow preemption between transition permission checks

Tobias Oed (1):
      SELinux: Use %lu for inode->i_no when printing avc

 Documentation/sysctl/vm.txt                  |   15 ++
 include/linux/security.h                     |   17 ++-
 kernel/sysctl.c                              |   10 +
 mm/mmap.c                                    |    4 +-
 mm/mremap.c                                  |   13 +-
 mm/nommu.c                                   |    2 +-
 security/dummy.c                             |    6 +-
 security/security.c                          |    1 +
 security/selinux/avc.c                       |   12 +-
 security/selinux/hooks.c                     |   42 +++--
 security/selinux/include/av_perm_to_string.h |    1 +
 security/selinux/include/av_permissions.h    |    1 +
 security/selinux/include/avc.h               |    6 +-
 security/selinux/include/class_to_string.h   |    1 +
 security/selinux/include/flask.h             |    1 +
 security/selinux/include/security.h          |    4 +
 security/selinux/netlabel.c                  |   34 ++--
 security/selinux/selinuxfs.c                 |  269 +++++++++++++++++++++++++-
 security/selinux/ss/policydb.c               |    7 +
 security/selinux/ss/services.c               |  144 ++++++++++++--
 20 files changed, 504 insertions(+), 86 deletions(-)

Re: [GIT] SELinux changes for 2.6.23 (updated)

[Michal Piotrowski]

Hi,

On 12/07/07, James Morris <jmorris@namei.org> wrote:
> This is an updated set of 2.6.23 SELinux changes, rebased & tested against
> current git.  The vmsplice patch has been dropped from this and will be
> resubmitted via Jens.  Also added an ack from Chris Wright for the mmap
> null dereference hooks (which I'd forgotten to add to my tree some time
> ago).
>
> Please pull.
>
>

My system is too secure, I can not login :)

[   48.388454] audit(1184282973.821:4): avc:  denied  { recvfrom } for
 pid=1168 comm="rhgb" saddr=127.0.0.1 src=40501 daddr=127.0.0.1
dest=6009 netif=lo scontext=system_u:system_r:xdm_xserver_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=tcp_socket
[   48.572508] PM: Adding info for No Bus:vcs8
[   48.576842] PM: Adding info for No Bus:vcsa8
[   51.403651] audit(1184282976.821:5): avc:  denied  { recvfrom } for
 saddr=127.0.0.1 src=40501 daddr=127.0.0.1 dest=6009 netif=lo
scontext=system_u:system_r:xdm_xserver_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=tcp_socket
[   57.389935] audit(1184282982.820:6): avc:  denied  { recvfrom } for
 saddr=127.0.0.1 src=40501 daddr=127.0.0.1 dest=6009 netif=lo
scontext=system_u:system_r:xdm_xserver_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=tcp_socket
[   69.362541] audit(1184282994.818:7): avc:  denied  { recvfrom } for
 saddr=127.0.0.1 src=40501 daddr=127.0.0.1 dest=6009 netif=lo
scontext=system_u:system_r:xdm_xserver_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=tcp_socket
[   93.307790] audit(1184283018.814:8): avc:  denied  { recvfrom } for
 saddr=127.0.0.1 src=40501 daddr=127.0.0.1 dest=6009 netif=lo
scontext=system_u:system_r:xdm_xserver_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=tcp_socket

http://www.stardust.webpages.pl/files/tbf/bitis-gabonica/2.6.22-g4eb6bf6b/console.log
http://www.stardust.webpages.pl/files/tbf/bitis-gabonica/2.6.22-g4eb6bf6b/git-config2

Regards,
Michal

-- 
LOG
http://www.stardust.webpages.pl/log/

Re: [GIT] SELinux changes for 2.6.23 (updated)

[James Morris]

On Fri, 13 Jul 2007, Michal Piotrowski wrote:

> 
> My system is too secure, I can not login :)

Do you have CONFIG_NETLABEL=y ?

If so, please try disabling it.


- James
-- 
James Morris
<jmorris@namei.org>

Re: [GIT] SELinux changes for 2.6.23 (updated)

[Paul Moore]

-----Original Message-----
From: James Morris <jmorris@namei.org>
Date: Thursday, Jul 12, 2007 10:50 pm
Subject: Re: [GIT] SELinux changes for 2.6.23 (updated)
To: Michal Piotrowski <michal.k.k.piotrowski@gmail.com>
CC: Linus Torvalds <torvalds@linux-foundation.org>,	linux-kernel@vger.kernel.org, Stephen Smalley <sds@tycho.nsa.gov>,	Paul Moore <paul.moore@hp.com>

On Fri, 13 Jul 2007, Michal Piotrowski wrote:
>
>> 
> My system is too secure, I can not login :)
>
>Do you have CONFIG_NETLABEL=y ?
>
>If so, please try disabling it.

Disabling NetLabel should solve the problem.  The recommended solution to this problem, as discussed on the SELinux list and mentioned in the patch description, is to upgrade your SELinux policy to the latest Reference Policy sources.  For those with custom SELinux policy, the patch description explains the changes to the SELinux policy required. 

If needed I can post more instructions later, let me know, but right now I'm tapping this out on my phone while at the airport.

. paul moore
. linux security @ hp

The art of breaking userspace (was Re: [GIT] SELinux changes for 2.6.23 (updated))

[Michal Piotrowski]

Paul Moore pisze:
[..]
> On Fri, 13 Jul 2007, Michal Piotrowski wrote:
>> My system is too secure, I can not login :)
>>
>> Do you have CONFIG_NETLABEL=y ?
>>
>> If so, please try disabling it.
> 
> Disabling NetLabel should solve the problem.

Disabling NetLabel solves the problem.

>  The recommended solution to this problem, as discussed on the SELinux list and mentioned in the patch description, is to upgrade your SELinux policy to the latest Reference Policy sources.  For those with custom SELinux policy, the patch description explains the changes to the SELinux policy required. 

I'm sorry to say this, but this kind of patches should not be accepted.

Patch

commit 9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0
Author: Paul Moore <paul.moore@hp.com>
Date:   Fri Jun 29 11:48:16 2007 -0400

    SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel

    These changes will make NetLabel behave like labeled IPsec where there is an
    access check for both labeled and unlabeled packets as well as providing the
    ability to restrict domains to receiving only labeled packets when NetLabel
    is in use.  The changes to the policy are straight forward with the
    following necessary to receive labeled traffic (with SECINITSID_NETMSG
    defined as "netlabel_peer_t"):

     allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;

    The policy for unlabeled traffic would be:

     allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom;

    These policy changes, as well as more general NetLabel support, are included
    in the SELinux Reference Policy SVN tree, r2352 or later.  Users who enable
    NetLabel support in the kernel are strongly encouraged to upgrade their
    policy to avoid network problems.

    Signed-off-by: Paul Moore <paul.moore@hp.com>
    Signed-off-by: James Morris <jmorris@namei.org>


breaks systems with recent selinux policy.

(rpm -qa selinux-policy-*
selinux-policy-devel-2.6.4-25.fc7
selinux-policy-targeted-2.6.4-25.fc7)

I will add this as a regression unless Linus says "Fsck it! We don't care about compatibility"

> 
> If needed I can post more instructions later, let me know, but right now I'm tapping this out on my phone while at the airport.
> 
> . paul moore
> . linux security @ hp
> 
> 
> 

Regards,
Michal

-- 
LOG
http://www.stardust.webpages.pl/log/

Re: The art of breaking userspace (was Re: [GIT] SELinux changes for 2.6.23 (updated))

[Stephen Smalley]

On Fri, 2007-07-13 at 21:08 +0200, Michal Piotrowski wrote:
> Paul Moore pisze:
> [..]
> > On Fri, 13 Jul 2007, Michal Piotrowski wrote:
> >> My system is too secure, I can not login :)
> >>
> >> Do you have CONFIG_NETLABEL=y ?
> >>
> >> If so, please try disabling it.
> > 
> > Disabling NetLabel should solve the problem.
> 
> Disabling NetLabel solves the problem.
> 
> >  The recommended solution to this problem, as discussed on the SELinux list and mentioned in the patch description, is to upgrade your SELinux policy to the latest Reference Policy sources.  For those with custom SELinux policy, the patch description explains the changes to the SELinux policy required. 
> 
> I'm sorry to say this, but this kind of patches should not be accepted.
> 
> Patch
> 
> commit 9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0
> Author: Paul Moore <paul.moore@hp.com>
> Date:   Fri Jun 29 11:48:16 2007 -0400
> 
>     SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel
> 
>     These changes will make NetLabel behave like labeled IPsec where there is an
>     access check for both labeled and unlabeled packets as well as providing the
>     ability to restrict domains to receiving only labeled packets when NetLabel
>     is in use.  The changes to the policy are straight forward with the
>     following necessary to receive labeled traffic (with SECINITSID_NETMSG
>     defined as "netlabel_peer_t"):
> 
>      allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
> 
>     The policy for unlabeled traffic would be:
> 
>      allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
> 
>     These policy changes, as well as more general NetLabel support, are included
>     in the SELinux Reference Policy SVN tree, r2352 or later.  Users who enable
>     NetLabel support in the kernel are strongly encouraged to upgrade their
>     policy to avoid network problems.
> 
>     Signed-off-by: Paul Moore <paul.moore@hp.com>
>     Signed-off-by: James Morris <jmorris@namei.org>
> 
> 
> breaks systems with recent selinux policy.
> 
> (rpm -qa selinux-policy-*
> selinux-policy-devel-2.6.4-25.fc7
> selinux-policy-targeted-2.6.4-25.fc7)
> 
> I will add this as a regression unless Linus says "Fsck it! We don't care about compatibility"

Agreed, it needs to be fixed in the netlabel code.

-- 
Stephen Smalley
National Security Agency

Re: The art of breaking userspace (was Re: [GIT] SELinux changes for 2.6.23 (updated))

[Paul Moore]

On Friday, July 13 2007 3:29:23 pm Stephen Smalley wrote:
> Agreed, it needs to be fixed in the netlabel code.

For anyone interested, and for the sake of completeness, an updated patch[set] 
has been posted to the SELinux mailing list for review.  The new patchset is 
designed to fix the problem that Michal reported.

-- 
paul moore
linux security @ hp