[redhat-lspp] Updated NetLabel patch

Paul Moore paul.moore at hp.com
Thu Jun 15 16:22:03 UTC 2006 

Stephen Smalley wrote:
> On Wed, 2006-06-14 at 17:00 -0400, Paul Moore wrote:
>>After your previous mail and before this one, I changed the rcv_skb()
>>code a bit so that I dropped my changes to xfrm.c and rewrote the bottom
>>of selinux_socket_sock_rcv_skb() to look like this:
>>
>>	err = security_netlbl_skbuff_getsid(skb,
>>					    sock_sid,
>>					    &netlbl_sid);
>>	if (err)
>>		goto out;
>>
>>	if (netlbl_sid != SECSID_NULL &&
>>            netlbl_sid != SECINITSID_UNLABELED) {
>>		err = avc_has_perm(sock_sid,
>>				   netlbl_sid,
>>				   sock_class,
>>				   recv_perm,
>>				   &ad);
>>		if (err) {
>>			security_netlbl_skbuff_err(skb, err);
>>			goto out;
>>		}
>>	}
> 
> 
> I would think you could collapse the above into a single function call
> to netlabel, as with the xfrm call.  Something like:
> 	err = selinux_netlabel_sock_rcv_skb(sock_sid, sock_class, ad, skb);
> 	if (err)
> 		goto out;

That would make sense wouldn't it ;)

> BTW, you are overloading the meaning of recv_msg permissions above.
> Although I suppose the port-based ones are going away due to secmark.  I
> suppose there is no overlap in the type space.

Yes, but it seems like a logical extension to the recv_msg permission.
I can add a new permission if it makes sense (I'm a little unclear as to
which you would prefer).

>>... it still uses relies on the xfrm unlabeled check but does so much
>>more cleanly then before.  Although it sounds like you want a separate
>>NetLabel unlabeled check; earlier patches had one but I dropped it due
>>to backward compatability concerns from RH (they didn't want to have to
>>force new policy with a new kernel).  Using sysctl variables was
>>mentioned but that still seems a bit awkward to me as this would be the
>>only LSM/SELinux sysctl variable (at least sysctl -a doesn't show
>>anything), but then again if that is the only solution left ...
> 
> No, we'd either use selinuxfs or a generic mechanism in the module for
> discovering the set of permissions understood by the policy and then
> bypassing checks that are not yet understood by the current policy.
> 

Hmm.  I haven't looked at the selinuxfs bits in much detail yet to even
see how something like that would work but I'll look into it as that
seems like a much better solution than the sysctl approach.

>>I guess the other question that needs to be asked at some point is will
>>RH be willing to take the NetLabel patch for RHEL5 if it doesn't hit
>>2.6.18?  The gist I have gotten so far is "probably not" but I'm about
>>as qualified to make that call as I am to play on the US World Cup team.
>  
> Likewise for me ;)  I'd suspect that they might take it as long as it
> _is_ accepted for 2.6.19; the main issue is not wanting to have to
> maintain code that has no upstream potential forever, IIUC.  But I don't
> make the call obviously.
> 

I guess we should stick to writing code then :)

>>Okay, let me rewind a bit since I'm pretty sure I got the discussion a
>>bit out of whack.  Take the all to familiar telnet-being-run-from-xinetd
>>case as an example (using only MLS levels).  My understanding is that
>>the xinetd daemon runs from s0-s15 so while it is running at s0 it is
>>cleared up to s15, therefore it should be able to receive packets as
>>level s8 and assuming policy supports it (and xinetd gets patched) it
>>should be able to fork a telnetd instance at s8 to handle the incoming
>>traffic.
>>
>>The problem I am facing is how to set the IP options on the accept()'ed
>>socket to s8?
> 
> How is this being handled in the xfrm case (TCS folks cc'd)?  The
> parallel is selection of the appropriate outbound SA for an accept'd
> socket.
> 

I don't believe it is currently being addressed in the xfrm case either
as it came up during the LSPP call two weeks ago.  If I remember
correctly they were planning on relabeling the socket too ...

>
> Where do you check that the socket is allowed to emit packets at that
> level?  What does it mean to dynamically switch the label of that socket
> when xinetd still holds a reference to it and can receive or generate
> traffic on it?
>  

I thought that protecting the relabel with a relabelto check would
suffice to ensure that unwanted socket relabeling was protected.
However, based on your comments I'm guessing that I'm not understanding
something very fundamental here ...

-- 
paul moore
linux security @ hp

More information about the redhat-lspp mailing list