[redhat-lspp] Netlabel/CIPSO toy policy module

Klaus Weidner klaus at atsec.com
Wed Jun 28 23:03:19 UTC 2006


Hello,

I've hacked together a very simple policy module to allow testing CIPSO
with MLS constraints, which was surprisingly easy once I found out where
to start... Kudos to Paul Moore and the Tresys folks for the code and
documentation!

With the following setup, labeled localhost networking in enforcing mode
works as expected, meaning that a "Unclassified" user can freely open a
local TCP connection to another "Unclassified" user's TCP socket, but a
"Secret" user's connection attempt is rejected.

I'm sure that there are many parts missing but I think this is a proof of
concept to show that the MLS constraints do their job without needing any
changes to the base policy. 

Here are the steps I used:

### set up the new policy module
cat > cipso.te <<__EOF__
	module cipso 1.0;

	require {
		type user_t, staff_t, sysadm_t;
		class udp_socket { name_bind create ioctl read getattr write
		                   setattr append bind connect getopt setopt
				   shutdown send_msg recv_msg node_bind };
		class tcp_socket { name_bind node_bind create ioctl read
		                   getattr write setattr append bind connect
				   getopt setopt shutdown listen accept
				   send_msg recv_msg };
	}

	allow {user_t staff_t sysadm_t} {user_t staff_t sysadm_t} :
	      tcp_socket { recv_msg };
	allow {user_t staff_t sysadm_t} {user_t staff_t sysadm_t} :
	      udp_socket { recv_msg };
__EOF__

checkmodule -M -m cipso.te -o cipso.mod
semodule_package -m cipso.mod -o cipso.pp
semodule -i cipso.pp

## configure CIPSO
##
## Make sure you use a local or serial console for testing, it will
## reject unlabeled packets from your SSH session (which is the entire
## point of CIPSO...)

setenforce 0
netlabelctl cipsov4 add std doi:1 tags:1 levels:0=0,1=1,2=2 categories:0=0,1=1,2=2
netlabelctl mgmt del default
netlabelctl mgmt add default protocol:cipsov4,1
netlabelctl unlbl accept off
setenforce 1

## now try some netcats
newrole -r sysadm_r -l s1-s1
nc -l 3333

newrole -r sysadm_r -l s2-s2
nc localhost 3333

-Klaus




More information about the redhat-lspp mailing list