[redhat-lspp] Updated NetLabel/CIPSO policy module

Wed, 30 Aug 2006 18:33:44 -0700 

On Mon, Aug 07, 2006 at 03:37:00PM -0400, Paul Moore wrote:
> I spent an hour this afternoon with the latest NetLabel patch and Klaus'
> original "toy" policy module trying to "flesh it out a bit".  The
> resulting policy file is attached (as well as a simple Makefile to build
> and install the module).  I will caution people that I haven't done much
> testing with this new policy module yet but what I have done, mostly
> running 'netlabelctl' seems to work well enough.

I've updated this to work with current kernel + policy - it needs
additional permissions for port_t and name_bind. Diff (plus patched files
for reference) attached.

I was a bit surprised that a "s2-s2" process can connect successfully to
a "s3-s3" process, send it data, and select/poll(2) waiting for data.
Select will tell it when the s3 process sent data, and when it tries to
read that data read(2) will return 0 which the program interprets as EOF.
I was expecting the connect to fail. This way it permits "write up"
operations (which are compatible with LSPP but frowned upon), and it
looks like a covert channel.

It works as expected the other way around, the s3 process gets an
immediate "connection refused" when trying to connect to the s2 process.

FYI, here's the strace output and AVC messages.

*** at s2-s2: telnet localhost 3333
*** at s3-s3: nc -l 3333

poll([{fd=3, events=POLLIN, revents=POLLIN}, {fd=0, events=POLLIN}], 2, -1) = 1
read(3, "", 1024)                       = 0

type=AVC msg=audit(1156984506.126:359): avc:  denied  { write } for  pid=2366 
comm="nc" name="[11390]" dev=sockfs ino=11390 
scontext=staff_u:staff_r:staff_t:s3 tcontext=staff_u:staff_r:staff_t:s2 
tclass=tcp_socket
type=SYSCALL msg=audit(1156984506.126:359): arch=40000003 syscall=4 success=no 
exit=-13 a0=4 a1=bfc70538 a2=2 a3=2 items=0 ppid=2301 pid=2366 auid=500 uid=500 
gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts2 
comm="nc" exe="/usr/bin/nc" subj=staff_u:staff_r:staff_t:s3 key=(null)
type=AVC_PATH msg=audit(1156984506.126:359):  path="socket:[11390]"

*** at s2-s2: nc -l 3333
*** at s3-s3: telnet localhost 3333

connect(3, {sa_family=AF_INET6, sin6_port=htons(3333), inet_pton(AF_INET6, 
"::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 ECONNREFUSED 
(Connection refused)

type=AVC msg=audit(1156984832.698:381): avc:  denied  { recv_msg } for  
saddr=127.0.0.1 src=34430 daddr=127.0.0.1 dest=3333 netif=lo 
scontext=staff_u:staff_r:staff_t:s2 tcontext=staff_u:staff_r:staff_t:s3 
tclass=tcp_socket
type=SYSCALL msg=audit(1156984829.698:380): arch=40000003 syscall=102 
success=no exit=-113 a0=3 a1=bfee9080 a2=79030c a3=916d148 items=0 ppid=2473 
pid=2474 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 
fsgid=500 tty=pts2 comm="telnet" exe="/usr/kerberos/bin/telnet" 
subj=staff_u:staff_r:staff_t:s3 key=(null)

-Klaus

--- netlabel.te.orig    2006-08-30 20:19:57.000000000 -0500
+++ netlabel.te 2006-08-30 20:19:26.000000000 -0500
@@ -12,20 +12,21 @@
 # module information
 #
 
-module netlabel 0.1;
+module netlabel 0.2;
 
 require {
        type user_t, staff_t, sysadm_t;
        type staff_tty_device_t;
        type etc_t, ld_so_cache_t, ld_so_t, lib_t, shlib_t, local_login_t;
+       type port_t;
 
        attribute domain;
        attribute entry_type;
        attribute exec_type;
        attribute file_type;
 
-       class tcp_socket { recv_msg };
-       class udp_socket { recv_msg };
+       class tcp_socket { recv_msg name_bind };
+       class udp_socket { recv_msg name_bind };
 
        class dir { search };
        class file { ioctl getattr read execute entrypoint };
@@ -58,9 +59,9 @@
 
 # sending NetLabel'd packets does not require a SELinux privilege, however,
 #   receiving NetLabel'd packets does
-allow user_t user_t:{ tcp_socket udp_socket } { recv_msg };
-allow staff_t staff_t:{ tcp_socket udp_socket } { recv_msg };
-allow sysadm_t sysadm_t:{ tcp_socket udp_socket } { recv_msg };
+allow user_t {user_t port_t}:{ tcp_socket udp_socket } { recv_msg name_bind };
+allow staff_t {staff_t port_t}:{ tcp_socket udp_socket } { recv_msg name_bind 
};
+allow sysadm_t {sysadm_t port_t}:{ tcp_socket udp_socket } { recv_msg 
name_bind };
 
 # allow the staff_t to configure the NetLabel subsystem
 #   NOTE: this should be sysadm_t or some other domain but staff_t is handy

#######
#
# Sample NetLabel SELinux policy module
# Paul Moore <[EMAIL PROTECTED]>
#
# Based on a "toy policy module" by Klaus Weidner
#
#

###
#
# module information
#

module netlabel 0.2;

require {
        type user_t, staff_t, sysadm_t;
        type staff_tty_device_t;
        type etc_t, ld_so_cache_t, ld_so_t, lib_t, shlib_t, local_login_t;
        type port_t;

        attribute domain;
        attribute entry_type;
        attribute exec_type;
        attribute file_type;

        class tcp_socket { recv_msg name_bind };
        class udp_socket { recv_msg name_bind };

        class dir { search };
        class file { ioctl getattr read execute entrypoint };
        class chr_file { ioctl getattr read write };
        class lnk_file { read };
        class fd { use };
        class netlink_socket { create bind write read };
        class process { transition noatsecure siginh rlimitinh };
}

###
#
# netlabel types
#

type netlabelctl_t;
type netlabelctl_exec_t;

typeattribute netlabelctl_t domain;
typeattribute netlabelctl_exec_t entry_type;
typeattribute netlabelctl_exec_t exec_type;
typeattribute netlabelctl_exec_t file_type;

role staff_r types netlabelctl_t;

###
#
# policy
#

# sending NetLabel'd packets does not require a SELinux privilege, however,
#   receiving NetLabel'd packets does
allow user_t {user_t port_t}:{ tcp_socket udp_socket } { recv_msg name_bind };
allow staff_t {staff_t port_t}:{ tcp_socket udp_socket } { recv_msg name_bind };
allow sysadm_t {sysadm_t port_t}:{ tcp_socket udp_socket } { recv_msg name_bind 
};

# allow the staff_t to configure the NetLabel subsystem
#   NOTE: this should be sysadm_t or some other domain but staff_t is handy
#         for testing right now
#   NOTE: [/usr/local]/sbin/netlabelctl should be labeled "netlabelctl_exec_t"

# domain_entry_file(netlabelctl_t,netlabel_exec_t)
allow netlabelctl_t netlabelctl_exec_t:file entrypoint;
allow netlabelctl_t netlabelctl_exec_t:file { getattr read };

# domain_auto_trans(staff_t,netlabelctl_exec_t,netlabelctl_t)
allow staff_t netlabelctl_exec_t:file { getattr read execute };
allow staff_t netlabelctl_t:process transition;
dontaudit staff_t netlabelctl_t:process { noatsecure siginh rlimitinh };
type_transition staff_t netlabelctl_exec_t:process netlabelctl_t;

# shared libraries
allow netlabelctl_t etc_t:dir search;
allow netlabelctl_t { ld_so_cache_t ld_so_t }:file { getattr read };
allow netlabelctl_t lib_t:dir search;
allow netlabelctl_t lib_t:lnk_file { read };
allow netlabelctl_t shlib_t:file { getattr read execute };

# user i/o
allow netlabelctl_t { staff_t local_login_t }:fd use;
allow netlabelctl_t staff_tty_device_t:chr_file { ioctl getattr read write };

# netlink communications
allow netlabelctl_t self:netlink_socket { create bind write read };


.PHONY: all install clean

all: netlabel.pp

install: netlabel.pp
        semodule -i netlabel.pp

netlabel.mod: netlabel.te
        checkmodule -M -m netlabel.te -o netlabel.mod

netlabel.pp: netlabel.mod
        semodule_package -m netlabel.mod -o netlabel.pp

clean:
        $(RM) -f netlabel.pp netlabel.mod

--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp

Reply via email to