2009-08-28 21:13:00

by Paul Moore

[permalink] [raw]
Subject: [refpolicy] [PATCH 0/2] Policy support for the new TUN hooks

Second, and hopefully final, version of the SELinux policy for the new TUN
hooks. This version includes all the feedback from Chris discussed on the
list as well as my sign-off.

---

Paul Moore (2):
refpol: Policy for the new TUN driver access controls
refpol: Add the "tun_socket" object class flask definitions


policy/flask/access_vectors | 2 ++
policy/flask/security_classes | 2 ++
policy/modules/admin/vpn.te | 1 +
policy/modules/apps/qemu.if | 3 +++
policy/modules/apps/uml.te | 6 ++++++
policy/modules/services/openvpn.te | 1 +
policy/modules/services/virt.if | 19 +++++++++++++++++++
policy/modules/services/virt.te | 1 +
policy/modules/system/userdomain.if | 23 +++++++++++++++++++++++
policy/modules/system/userdomain.te | 2 ++
10 files changed, 60 insertions(+), 0 deletions(-)


2009-08-28 21:13:06

by Paul Moore

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/2] refpol: Add the "tun_socket" object class flask definitions

Add the new "tun_socket" class to the flask definitions. The "tun_socket"
object class is used by the new TUN driver hooks which allow policy to control
access to TUN/TAP devices.

Signed-off-by: Paul Moore <[email protected]>
---

policy/flask/access_vectors | 2 ++
policy/flask/security_classes | 2 ++
2 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index ef4c063..6292db5 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -251,6 +251,8 @@ inherits socket
class unix_dgram_socket
inherits socket

+class tun_socket
+inherits socket

#
# Define the access vector interpretation for process-related objects
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 9e1bf1a..2bd1bf6 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -119,4 +119,6 @@ class x_application_data # userspace
# kernel services that need to override task security, e.g. cachefiles
class kernel_service

+class tun_socket
+
# FLASK

2009-08-28 21:13:12

by Paul Moore

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/2] refpol: Policy for the new TUN driver access controls

Add policy for the new TUN driver access controls which allow policy to
control which domains have the ability to create and attach to TUN/TAP
devices. The policy rules for creating and attaching to a device are as
shown below:

# create a new device
allow domain_t self:tun_socket { create };

# attach to a persistent device (created by tunlbl_t)
allow domain_t tunlbl_t:tun_socket { relabelfrom };
allow domain_t self:tun_socket { relabelto };

Further discussion can be found on this thread:

* http://marc.info/?t=125080850900002&r=1&w=2

Signed-off-by: Paul Moore <[email protected]>
---

policy/modules/admin/vpn.te | 1 +
policy/modules/apps/qemu.if | 3 +++
policy/modules/apps/uml.te | 6 ++++++
policy/modules/services/openvpn.te | 1 +
policy/modules/services/virt.if | 19 +++++++++++++++++++
policy/modules/services/virt.te | 1 +
policy/modules/system/userdomain.if | 23 +++++++++++++++++++++++
policy/modules/system/userdomain.te | 2 ++
8 files changed, 56 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index 11c2dcc..52cf380 100644
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -31,6 +31,7 @@ allow vpnc_t self:udp_socket create_socket_perms;
allow vpnc_t self:rawip_socket create_socket_perms;
allow vpnc_t self:unix_dgram_socket create_socket_perms;
allow vpnc_t self:unix_stream_socket create_socket_perms;
+allow vpnc_t self:tun_socket create;
# cjp: this needs to be fixed
allow vpnc_t self:socket create_socket_perms;

diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
index d258f1d..71f2423 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -149,6 +149,7 @@ template(`qemu_domain_template',`
allow $1_t self:shm create_shm_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:tun_socket create;

manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
@@ -190,6 +191,7 @@ template(`qemu_domain_template',`
sysnet_read_config($1_t)

userdom_use_user_terminals($1_t)
+ userdom_attach_admin_tun_iface($1_t)

optional_policy(`
samba_domtrans_smbd($1_t)
@@ -199,6 +201,7 @@ template(`qemu_domain_template',`
virt_manage_images($1_t)
virt_read_config($1_t)
virt_read_lib_files($1_t)
+ virt_attach_tun_iface($1_t)
')

optional_policy(`
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
index 05e871c..a677710 100644
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@@ -60,6 +60,7 @@ allow uml_t self:unix_dgram_socket create_socket_perms;
# Use the network.
allow uml_t self:tcp_socket create_stream_socket_perms;
allow uml_t self:udp_socket create_socket_perms;
+allow uml_t self:tun_socket create;
# for mconsole
allow uml_t self:unix_dgram_socket sendto;

@@ -135,11 +136,16 @@ seutil_use_newrole_fds(uml_t)
sysnet_read_config(uml_t)

userdom_use_user_terminals(uml_t)
+userdom_attach_admin_tun_iface(uml_t)

optional_policy(`
nis_use_ypbind(uml_t)
')

+optional_policy(`
+ virt_attach_tun_iface(uml_t)
+')
+
########################################
#
# Local policy
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index a4e2db2..99149f0 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -49,6 +49,7 @@ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow openvpn_t self:udp_socket create_socket_perms;
allow openvpn_t self:tcp_socket server_stream_socket_perms;
+allow openvpn_t self:tun_socket create;
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;

can_exec(openvpn_t, openvpn_etc_t)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index 8dc8acf..b24099a 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -327,3 +327,22 @@ interface(`virt_admin',`

virt_manage_log($1)
')
+
+########################################
+## <summary>
+## Allow domain to attach to virt TUN devices
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_attach_tun_iface',`
+ gen_require(`
+ type virtd_t;
+ ')
+
+ allow $1 virtd_t:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
+')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index b2fd700..a51755e 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -58,6 +58,7 @@ allow virtd_t self:process { getsched sigkill signal execmem };
allow virtd_t self:fifo_file rw_file_perms;
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
allow virtd_t self:tcp_socket create_stream_socket_perms;
+allow virtd_t self:tun_socket create;

read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 49ac3fd..887c3a4 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1042,6 +1042,7 @@ template(`userdom_unpriv_user_template', `
#
template(`userdom_admin_user_template',`
gen_require(`
+ attribute admin_tun_type;
class passwd { passwd chfn chsh rootok };
')

@@ -1077,6 +1078,9 @@ template(`userdom_admin_user_template',`

allow $1_t self:netlink_audit_socket nlmsg_readpriv;

+ allow $1_t self:tun_socket create;
+ typeattribute $1_t admin_tun_type;
+
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
@@ -3027,3 +3031,22 @@ interface(`userdom_dbus_send_all_users',`

allow $1 userdomain:dbus send_msg;
')
+
+########################################
+## <summary>
+## Allow domain to attach to TUN devices created by administrative users.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_attach_admin_tun_iface',`
+ gen_require(`
+ attribute admin_tun_type;
+ ')
+
+ allow $1 admin_tun_type:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 48e9070..aff080b 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -58,6 +58,8 @@ attribute unpriv_userdomain;
attribute untrusted_content_type;
attribute untrusted_content_tmp_type;

+attribute admin_tun_type;
+
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)

2009-08-31 13:04:38

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 0/2] Policy support for the new TUN hooks

On Fri, 2009-08-28 at 17:13 -0400, Paul Moore wrote:
> Second, and hopefully final, version of the SELinux policy for the new TUN
> hooks. This version includes all the feedback from Chris discussed on the
> list as well as my sign-off.

Merged.

> ---
>
> Paul Moore (2):
> refpol: Policy for the new TUN driver access controls
> refpol: Add the "tun_socket" object class flask definitions
>
>
> policy/flask/access_vectors | 2 ++
> policy/flask/security_classes | 2 ++
> policy/modules/admin/vpn.te | 1 +
> policy/modules/apps/qemu.if | 3 +++
> policy/modules/apps/uml.te | 6 ++++++
> policy/modules/services/openvpn.te | 1 +
> policy/modules/services/virt.if | 19 +++++++++++++++++++
> policy/modules/services/virt.te | 1 +
> policy/modules/system/userdomain.if | 23 +++++++++++++++++++++++
> policy/modules/system/userdomain.te | 2 ++
> 10 files changed, 60 insertions(+), 0 deletions(-)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150