From: Venkat Yekkirala <vyekkirala@trustedcs.com>
To: netdev@vger.kernel.org, selinux@tycho.nsa.gov
Cc: jmorris@namei.org, latten@austin.ibm.com, sds@tycho.nsa.gov,
tjaeger@cse.psu.edu
Subject: [PATCH FOR REFERENCE ONLY] MLSXFRM-v02: Add support to serefpolicy
Date: Tue, 18 Jul 2006 12:25:04 -0500 [thread overview]
Message-ID: <44BD1970.7010207@trustedcs.com> (raw)
This patch has been included here just for reference for anyone wanting to
try the patchset in enforcing mode. It will be submitted to the serefpolicy
list later.
This patch adds a polmatch avperm to arbitrate flow/state's access to
a xfrm policy. It also defines MLS policy for association { sendto,
recvfrom, polmatch }.
NOTE: When an inbound packet is not using an IPSec SA, a check is performed
between the socket label and the unlabeled sid (SYSTEM_HIGH MLS label). For
MLS purposes however, the target of the check should be the MLS label taken
from the node sid (or secmark in the new secmark world). This would present
a severe performance overhead (to make a new sid based on the unlabeled sid
with the MLS taken from the node sid or secmark and then using this sid as
the target). Pending reconciliation of the netlabel, ipsec and iptables contexts,
I have chosen to currently make an exception for unlabeled_t SAs if TE policy
allowed it. A similar problem exists for the outbound case and it has been similarly
handled in the policy below (by making an exception for unlabeled_t).
The mlsconstrains are from myself and the rest (sample/basic pieces to get
communication going without or with unlabeled IPSec) are from Joy Latten at IBM
(latten@austin.ibm.com).
diff -urpN serefpolicy-2.2.47.orig/policy/flask/access_vectors serefpolicy-2.2.47.diff/policy/flask/access_vectors
--- serefpolicy-2.2.47.orig/policy/flask/access_vectors 2006-07-11 05:15:39.000000000 -0500
+++ serefpolicy-2.2.47.diff/policy/flask/access_vectors 2006-07-11 07:43:37.000000000 -0500
@@ -602,6 +602,7 @@ class association
sendto
recvfrom
setcontext
+ polmatch
}
# Updated Netlink class for KOBJECT_UEVENT family.
diff -urpN serefpolicy-2.2.47.orig/policy/mls serefpolicy-2.2.47.diff/policy/mls
--- serefpolicy-2.2.47.orig/policy/mls 2006-07-11 05:15:39.000000000 -0500
+++ serefpolicy-2.2.47.diff/policy/mls 2006-07-11 07:44:23.000000000 -0500
@@ -671,4 +671,18 @@ mlsconstrain xinput { setattr relabelinp
# these access vectors have no MLS restrictions
# association *
+mlsconstrain association { recvfrom }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ) or
+ ( t2 == unlabeled_t ));
+
+mlsconstrain association { sendto }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t2 == unlabeled_t ));
+
+mlsconstrain association { polmatch }
+ ((( l1 dom l2 ) and ( h1 domby h2 )) or
+ ( t2 == unlabeled_t));
+
') dnl end enable_mls
diff -urpN serefpolicy-2.2.47.orig/policy/modules/kernel/kernel.if serefpolicy-2.2.47.diff/policy/modules/kernel/kernel.if
--- serefpolicy-2.2.47.orig/policy/modules/kernel/kernel.if 2006-07-11 05:15:39.000000000 -0500
+++ serefpolicy-2.2.47.diff/policy/modules/kernel/kernel.if 2006-07-14 04:29:32.000000000 -0500
@@ -2134,3 +2134,11 @@ interface(`kernel_dontaudit_list_all_pro
dontaudit $1 proc_type:dir list_dir_perms;
dontaudit $1 proc_type:file getattr;
')
+
+interface(`kernel_read_unlabeled_tcpsocket',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:tcp_socket { read write shutdown };
+')
diff -urpN serefpolicy-2.2.47.orig/policy/modules/kernel/kernel.te serefpolicy-2.2.47.diff/policy/modules/kernel/kernel.te
--- serefpolicy-2.2.47.orig/policy/modules/kernel/kernel.te 2006-07-11 05:15:39.000000000 -0500
+++ serefpolicy-2.2.47.diff/policy/modules/kernel/kernel.te 2006-07-14 04:28:18.000000000 -0500
@@ -332,6 +332,11 @@ optional_policy(`
ifdef(`targeted_policy',`
allow unlabeled_t self:filesystem associate;
')
+# Joy
+allow unlabeled_t self:association *;
+corenet_tcp_sendrecv_generic_if(unlabeled_t)
+corenet_tcp_sendrecv_generic_node(unlabeled_t)
+corenet_tcp_sendrecv_generic_port(unlabeled_t)
optional_policy(`
# If you load a new policy that removes active domains, processes can
diff -urpN serefpolicy-2.2.47.orig/policy/modules/system/unconfined.te serefpolicy-2.2.47.diff/policy/modules/system/unconfined.te
--- serefpolicy-2.2.47.orig/policy/modules/system/unconfined.te 2006-07-11 05:15:39.000000000 -0500
+++ serefpolicy-2.2.47.diff/policy/modules/system/unconfined.te 2006-07-14 04:32:33.000000000 -0500
@@ -29,6 +29,8 @@ unconfined_domain(unconfined_t)
logging_send_syslog_msg(unconfined_t)
+kernel_read_unlabeled_tcpsocket(unconfined_t)
+
ifdef(`targeted_policy',`
allow unconfined_t self:system syslog_read;
dontaudit unconfined_t self:capability sys_module;
reply other threads:[~2006-07-18 17:25 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44BD1970.7010207@trustedcs.com \
--to=vyekkirala@trustedcs.com \
--cc=jmorris@namei.org \
--cc=latten@austin.ibm.com \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=tjaeger@cse.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).