[redhat-lspp] Netlabel/CIPSO toy policy module
Klaus Weidner
klaus at atsec.com
Wed Jun 28 23:03:19 UTC 2006
Hello,
I've hacked together a very simple policy module to allow testing CIPSO
with MLS constraints, which was surprisingly easy once I found out where
to start... Kudos to Paul Moore and the Tresys folks for the code and
documentation!
With the following setup, labeled localhost networking in enforcing mode
works as expected, meaning that a "Unclassified" user can freely open a
local TCP connection to another "Unclassified" user's TCP socket, but a
"Secret" user's connection attempt is rejected.
I'm sure that there are many parts missing but I think this is a proof of
concept to show that the MLS constraints do their job without needing any
changes to the base policy.
Here are the steps I used:
### set up the new policy module
cat > cipso.te <<__EOF__
module cipso 1.0;
require {
type user_t, staff_t, sysadm_t;
class udp_socket { name_bind create ioctl read getattr write
setattr append bind connect getopt setopt
shutdown send_msg recv_msg node_bind };
class tcp_socket { name_bind node_bind create ioctl read
getattr write setattr append bind connect
getopt setopt shutdown listen accept
send_msg recv_msg };
}
allow {user_t staff_t sysadm_t} {user_t staff_t sysadm_t} :
tcp_socket { recv_msg };
allow {user_t staff_t sysadm_t} {user_t staff_t sysadm_t} :
udp_socket { recv_msg };
__EOF__
checkmodule -M -m cipso.te -o cipso.mod
semodule_package -m cipso.mod -o cipso.pp
semodule -i cipso.pp
## configure CIPSO
##
## Make sure you use a local or serial console for testing, it will
## reject unlabeled packets from your SSH session (which is the entire
## point of CIPSO...)
setenforce 0
netlabelctl cipsov4 add std doi:1 tags:1 levels:0=0,1=1,2=2 categories:0=0,1=1,2=2
netlabelctl mgmt del default
netlabelctl mgmt add default protocol:cipsov4,1
netlabelctl unlbl accept off
setenforce 1
## now try some netcats
newrole -r sysadm_r -l s1-s1
nc -l 3333
newrole -r sysadm_r -l s2-s2
nc localhost 3333
-Klaus
More information about the redhat-lspp
mailing list