[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [redhat-lspp] Netlabel/CIPSO toy policy module

From: Ted <txtoth gmail com>
To: Klaus Weidner <klaus atsec com>
Cc: redhat-lspp redhat com
Subject: Re: [redhat-lspp] Netlabel/CIPSO toy policy module
Date: Fri, 30 Jun 2006 08:04:11 -0500

Klaus we love you ;)


On Wed, 2006-06-28 at 18:03 -0500, Klaus Weidner wrote:
> Hello,
> 
> I've hacked together a very simple policy module to allow testing CIPSO
> with MLS constraints, which was surprisingly easy once I found out where
> to start... Kudos to Paul Moore and the Tresys folks for the code and
> documentation!
> 
> With the following setup, labeled localhost networking in enforcing mode
> works as expected, meaning that a "Unclassified" user can freely open a
> local TCP connection to another "Unclassified" user's TCP socket, but a
> "Secret" user's connection attempt is rejected.
> 
> I'm sure that there are many parts missing but I think this is a proof of
> concept to show that the MLS constraints do their job without needing any
> changes to the base policy. 
> 
> Here are the steps I used:
> 
> ### set up the new policy module
> cat > cipso.te <<__EOF__
> 	module cipso 1.0;
> 
> 	require {
> 		type user_t, staff_t, sysadm_t;
> 		class udp_socket { name_bind create ioctl read getattr write
> 		                   setattr append bind connect getopt setopt
> 				   shutdown send_msg recv_msg node_bind };
> 		class tcp_socket { name_bind node_bind create ioctl read
> 		                   getattr write setattr append bind connect
> 				   getopt setopt shutdown listen accept
> 				   send_msg recv_msg };
> 	}
> 
> 	allow {user_t staff_t sysadm_t} {user_t staff_t sysadm_t} :
> 	      tcp_socket { recv_msg };
> 	allow {user_t staff_t sysadm_t} {user_t staff_t sysadm_t} :
> 	      udp_socket { recv_msg };
> __EOF__
> 
> checkmodule -M -m cipso.te -o cipso.mod
> semodule_package -m cipso.mod -o cipso.pp
> semodule -i cipso.pp
> 
> ## configure CIPSO
> ##
> ## Make sure you use a local or serial console for testing, it will
> ## reject unlabeled packets from your SSH session (which is the entire
> ## point of CIPSO...)
> 
> setenforce 0
> netlabelctl cipsov4 add std doi:1 tags:1 levels:0=0,1=1,2=2 categories:0=0,1=1,2=2
> netlabelctl mgmt del default
> netlabelctl mgmt add default protocol:cipsov4,1
> netlabelctl unlbl accept off
> setenforce 1
> 
> ## now try some netcats
> newrole -r sysadm_r -l s1-s1
> nc -l 3333
> 
> newrole -r sysadm_r -l s2-s2
> nc localhost 3333
> 
> -Klaus
> 
> --
> redhat-lspp mailing list
> redhat-lspp redhat com
> https://www.redhat.com/mailman/listinfo/redhat-lspp

References:
- [redhat-lspp] Netlabel/CIPSO toy policy module
  - From: Klaus Weidner

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]