From: Paul Moore <paul.moore@hp.com>
To: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Cc: netdev@vger.kernel.org, selinux@tycho.nsa.gov, eparis@redhat.com,
jmorris@namei.org, sds@tycho.nsa.gov
Subject: Re: [PATCH v4 1/2] NetLabel: secid reconciliation support
Date: Wed, 04 Oct 2006 14:45:49 -0400 [thread overview]
Message-ID: <4524015D.3070501@hp.com> (raw)
In-Reply-To: <36282A1733C57546BE392885C0618592015CF8A5@chaos.tcs.tcs-sec.com>
Venkat Yekkirala wrote:
>>@@ -3714,19 +3714,34 @@ static int selinux_skb_flow_in(struct sk
>> if (skb->dev == &loopback_dev)
>> return 1;
>>
>>+ if (skb->secmark)
>>+ loc_sid = skb->secmark;
>>+ else
>>+ loc_sid = SECINITSID_NETMSG;
>>+
>> err = selinux_xfrm_decode_session(skb, &xfrm_sid, 0);
>> BUG_ON(err);
>>-
>>- err = avc_has_perm(xfrm_sid, skb->secmark? : SECINITSID_NETMSG,
>>- SECCLASS_PACKET,
>>- PACKET__FLOW_IN, NULL);
>>+ err = selinux_netlbl_skb_sid(skb,
>>+ xfrm_sid ? xfrm_sid : loc_sid,
>>+ &nlbl_sid);
>> if (err)
>> goto out;
>>
>>- if (xfrm_sid)
>>- skb->secmark = xfrm_sid;
>>+ if (nlbl_sid)
>>+ ext_sid = nlbl_sid;
>>+ else
>>+ ext_sid = xfrm_sid;
>
>
> There's a problem here in that it would require 2 different policies
> depending on whether one is using netlabel or xfrm. Specifically, in
> the absence of matching iptables contexts (secmark), the skb here
> will get:
>
> - 0 (xfrm case)
> - network_t (netlabel)
Perhaps I'm reading it the wrong way, but I didn't quite follow your
comment. In an effort to bring some clarity to all of this here are all
of the possibile combinations that I can see using the code above (feel
free to correct me if I made a mistake):
* SECMARK, XFRM, NetLabel present
xfrm_sid = <full context from xfrm>
loc_sid = <full context from secmark>
nlbl_sid = <xfrm_sid te ctx, netlabel mls ctx>
ext_sid = nlbl_sid
final skb->secmark = avc_ok : ext_sid ? unchanged
* SECMARK, XFRM present
xfrm_sid = <full context from xfrm>
loc_sid = <full context from secmark>
nlbl_sid = SECSID_NULL/0
ext_sid = xfrm_sid
final skb->secmark = avc_ok : ext_sid ? unchanged
* SECMARK, NetLabel present
xfrm_sid = SECSID_NULL/0
loc_sid = <full context from secmark>
nlbl_sid = <secmark te ctx, netlabel mls ctx>
ext_sid = nlbl_sid
final skb->secmark = avc_ok : ext_sid ? unchanged
* XFRM, NetLabel present
xfrm_sid = <full context from xfrm>
loc_sid = SECINITSID_NETMSG
nlbl_sid = <xfrm_sid te ctx, netlabel mls ctx>
ext_sid = nlbl_sid
final skb->secmark = avc_ok : ext_sid ? unchanged
* XFRM present
xfrm_sid = <full context from xfrm>
loc_sid = SECINITSID_NETMSG
nlbl_sid = SECSID_NULL/0
ext_sid = xfrm_sid
final skb->secmark = avc_ok : ext_sid ? unchanged
* NetLabel present
xfrm_sid = SECSID_NULL/0
loc_sid = SECSID_NULL/0
nlbl_sid = <SECINITSID_NETMSG te ctx, netlabel mls ctx>
ext_sid = nlbl_sid
final skb->secmark = avc_ok : ext_sid ? unchanged
* Nothing
xfrm_sid = SECSID_NULL/0
loc_sid = SECSID_NULL/0
nlbl_sid = SECSID_NULL/0
ext_sid = xfrm_sid
final skb->secmark = avc_ok : ext_sid ? unchanged
> This has implications for getpeercon() where it would
>
> - fail with ENOPROTOOPT (xfrm case)
> - returns network_t (netlabel)
>
> I would still argue that the nature of the domain being carried by
> the packet is still unlabeled_t as implied by the null secmark. While
> I view secmark/point as specifying BOTH a flow control point and a
> default domain (incidentally using the same label more because of
> implementation constrainst), I view network_t as purely a flow control
> point.
>
> But I also realize there can be equally forceful arguments for what this
> patch does.
I know the two of us have talked about this before on the mail lists,
but I don't believe anyone else has ever made a comment in this regard.
I tend to feel rather strongly that when using just NetLabel on a
connection you shouldn't see an "unlabeled_t" type as I feel that the
connotation associated with this type is misleading, even though from a
TE point of view there may be an argument made that it is appropriate.
> What does the community think? We need to resolve it one way or the
> other unless the above differences in behavior are desired or somehow
> accounted for in policy and apps.
I agree - I'd like to hear what others (namely Stephen Smalley, James
Morris and all of the Tresys folks <past and present>) have to say on
this issue.
--
paul moore
linux security @ hp
next prev parent reply other threads:[~2006-10-04 18:45 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-04 16:59 [PATCH v4 1/2] NetLabel: secid reconciliation support Venkat Yekkirala
2006-10-04 18:45 ` Paul Moore [this message]
-- strict thread matches above, loose matches on Subject: below --
2006-10-04 19:53 Venkat Yekkirala
2006-10-04 20:08 ` Paul Moore
2006-10-04 19:37 Venkat Yekkirala
2006-10-04 19:52 ` Paul Moore
2006-10-04 19:02 Venkat Yekkirala
2006-10-04 19:27 ` Paul Moore
2006-10-04 19:45 ` Stephen Smalley
2006-10-04 17:09 Venkat Yekkirala
2006-10-04 15:46 [PATCH 0/2] [PATCH 0/2] Updated NetLabel/secid-reconciliation bits and a bugfix paul.moore
2006-10-04 15:46 ` [PATCH v4 1/2] NetLabel: secid reconciliation support paul.moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4524015D.3070501@hp.com \
--to=paul.moore@hp.com \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).