Hi Chris,
Now that the patches for socket-labeling support have been merged into Linus kernel tree, I think it's time to submit the attached patches to have the socket created by syslogd_t and setrans_t domains have a separate type than the creator, so that we won't have to add syslogd_t or setrans_t domains into mlstrustedobject attribute in order to have domains at mls_systemlow to communicate with their sockets at mls_systemhigh.
Please find them out in the attachments. Below is some simple tests I've done.
Looking forward to your comments, thanks a lot!
Best regards,
Harry
------------------------
[root/sysadm_r/s0 at setrans]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 25
Policy from config file: refpolicy-mls
[root/sysadm_r/s0 at setrans]# run_init /etc/init.d/mcstrans start
Authenticating root.
Password:
Starting mcstransd: [ OK ]
[root/sysadm_r/SystemLow at setrans]# syshigh "ps Z -C mcstransd"
Password:
LABEL PID TTY STAT TIME COMMAND
system_u:system_r:setrans_t:SystemHigh 828 ? Ss 0:00 mcstransd
[root/sysadm_r/SystemLow at setrans]# compute_create system_u:system_r:setrans_t:SystemHigh system_u:system_r:setrans_t:SystemHigh unix_stream_socket
system_u:system_r:setrans_s_t:SystemHigh
[root/sysadm_r/SystemLow at setrans]# compute_create system_u:system_r:setrans_t:SystemHigh system_u:system_r:setrans_t:SystemHigh unix_dgram_socket
system_u:system_r:setrans_t:SystemHigh
[root/sysadm_r/SystemLow at setrans]#
[root/sysadm_r/SystemLow at setrans]# syshigh "ps Z -C syslogd"Password:
LABEL PID TTY STAT TIME COMMAND
system_u:system_r:syslogd_t:SystemHigh 395 ? Ss 0:00 syslogd -m 0
[root/sysadm_r/SystemLow at setrans]# compute_create system_u:system_r:syslogd_t:SystemHigh system_u:system_r:syslogd_t:SystemHigh unix_dgram_socket
system_u:system_r:syslogd_s_t:SystemHigh
[root/sysadm_r/SystemLow at setrans]# compute_create system_u:system_r:syslogd_t:SystemHigh system_u:system_r:syslogd_t:SystemHigh unix_stream_socket
system_u:system_r:syslogd_t:SystemHigh
[root/sysadm_r/SystemLow at setrans]#
[root/sysadm_r/SystemLow at setrans]# run_init /etc/init.d/mcstrans stop
Authenticating root.
Password:
Stopping mcstransd: [ OK ]
[root/sysadm_r/s0 at setrans]# audhigh "ausearch -ts recent -sv no"
Password:
<no matches>
[root/sysadm_r/s0 at setrans]#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20110321/ff42105c/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Specify-a-separate-socket-type-for-syslogd_t.patch
Type: text/x-patch
Size: 3666 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110321/ff42105c/attachment-0003.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Allow-setrans_t-to-read-from-proc-filesystems.patch
Type: text/x-patch
Size: 1638 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110321/ff42105c/attachment-0004.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Specify-a-separate-socket-type-for-setrans_t.patch
Type: text/x-patch
Size: 3021 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110321/ff42105c/attachment-0005.bin
On 03/21/11 02:48, HarryCiao wrote:
> Now that the patches for socket-labeling support have been merged into
> Linus kernel tree, I think it's time to submit the attached patches to
> have the socket created by syslogd_t and setrans_t domains have a
> separate type than the creator, so that we won't have to add syslogd_t
> or setrans_t domains into mlstrustedobject attribute in order to have
> domains at mls_systemlow to communicate with their sockets at
> mls_systemhigh.
I guess I misunderstood what you intended with that kernel support. I
think the policy patches add unnecessary complexity. It makes more
sense to adjust the MLS contstraint for unix_stream_socket connectto and
unix_dgram_socket sendto to change the t2=mlstrustedobject exemption to
something else. In this case it makes more sense to make a new
attribute, e.g.
mlsconstrain unix_stream_socket connectto
(( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ) or
( t2 == mlstrustedreceiver ));
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
Hi Chris,
Thanks a lot for your comments. Now that the kernel supports type_transition for socket objects, we could have socket labeled as a different type than its creator if such isolation is highly desirable, or create another MLS attribute for them as you suggested below. Either way leads to Roma :-)
Best regards,
Harry
> Date: Wed, 23 Mar 2011 09:29:29 -0400
> From: cpebenito at tresys.com
> To: harrytaurus2002 at hotmail.com
> CC: refpolicy at oss1.tresys.com
> Subject: Re: Socket labeling support for syslogd_t and setrans_t
>
> On 03/21/11 02:48, HarryCiao wrote:
> > Now that the patches for socket-labeling support have been merged into
> > Linus kernel tree, I think it's time to submit the attached patches to
> > have the socket created by syslogd_t and setrans_t domains have a
> > separate type than the creator, so that we won't have to add syslogd_t
> > or setrans_t domains into mlstrustedobject attribute in order to have
> > domains at mls_systemlow to communicate with their sockets at
> > mls_systemhigh.
>
> I guess I misunderstood what you intended with that kernel support. I
> think the policy patches add unnecessary complexity. It makes more
> sense to adjust the MLS contstraint for unix_stream_socket connectto and
> unix_dgram_socket sendto to change the t2=mlstrustedobject exemption to
> something else. In this case it makes more sense to make a new
> attribute, e.g.
>
> mlsconstrain unix_stream_socket connectto
> (( l1 eq l2 ) or
> (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
> (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
> ( t1 == mlsnetwrite ) or
> ( t2 == mlstrustedreceiver ));
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20110324/9b6fb617/attachment.html