* semanage interface has no effect
@ 2014-08-25 11:11 Stepan G. Fedorov
2014-08-25 12:18 ` Dominick Grift
2014-08-25 13:10 ` Stephen Smalley
0 siblings, 2 replies; 10+ messages in thread
From: Stepan G. Fedorov @ 2014-08-25 11:11 UTC (permalink / raw)
To: Selinux
Hello!
Goal of this experiment is to see allow rules for netif class objects is
working.
I use debian wheezy whith MLS selinux policy, in enforced mode.
eth0 is hte only netwotk interface, except lo.
sesearch --allow -cnetif shows lots of allow rules for netif_t target
type / netif target class.
I do:
1) I add new type nginx_http_if_t with my own policy module;
2) semanage interface -a -t nginx_http_if_t -r s1:c0.c1023 eth0.
I expect: to see all the processes in system unable to read/write
packets from eth0 interface.
I actually got: nothing changes - all networking is working as it was
before changing of interface context.
What am I doing/understanding wrong?
Thank you!
--
Stepan G. Fedorov <StFedorov@gmail.com>
Tel: +7-965-750-91-91
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: semanage interface has no effect
2014-08-25 11:11 semanage interface has no effect Stepan G. Fedorov
@ 2014-08-25 12:18 ` Dominick Grift
2014-08-25 13:10 ` Stephen Smalley
1 sibling, 0 replies; 10+ messages in thread
From: Dominick Grift @ 2014-08-25 12:18 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 1337 bytes --]
On Mon, Aug 25, 2014 at 03:11:03PM +0400, Stepan G. Fedorov wrote:
> Hello!
>
> Goal of this experiment is to see allow rules for netif class objects is
> working.
>
> I use debian wheezy whith MLS selinux policy, in enforced mode.
>
> eth0 is hte only netwotk interface, except lo.
>
> sesearch --allow -cnetif shows lots of allow rules for netif_t target type /
> netif target class.
>
> I do:
> 1) I add new type nginx_http_if_t with my own policy module;
> 2) semanage interface -a -t nginx_http_if_t -r s1:c0.c1023 eth0.
>
> I expect: to see all the processes in system unable to read/write packets
> from eth0 interface.
>
> I actually got: nothing changes - all networking is working as it was before
> changing of interface context.
>
>
> What am I doing/understanding wrong?
I suspect that these controls may be legacy (net_compat?)
I may be wrong
>
> Thank you!
>
> --
> Stepan G. Fedorov <StFedorov@gmail.com>
> Tel: +7-965-750-91-91
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
--
http://subkeys.pgp.net:11371/pks/lookup?search=0x02DFF788&op=index
Dominick Grift
[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: semanage interface has no effect
2014-08-25 11:11 semanage interface has no effect Stepan G. Fedorov
2014-08-25 12:18 ` Dominick Grift
@ 2014-08-25 13:10 ` Stephen Smalley
2014-08-25 14:00 ` Stepan G. Fedorov
1 sibling, 1 reply; 10+ messages in thread
From: Stephen Smalley @ 2014-08-25 13:10 UTC (permalink / raw)
To: Stepan G. Fedorov, Selinux
On 08/25/2014 07:11 AM, Stepan G. Fedorov wrote:
> Hello!
>
> Goal of this experiment is to see allow rules for netif class objects is
> working.
>
> I use debian wheezy whith MLS selinux policy, in enforced mode.
>
> eth0 is hte only netwotk interface, except lo.
>
> sesearch --allow -cnetif shows lots of allow rules for netif_t target
> type / netif target class.
>
> I do:
> 1) I add new type nginx_http_if_t with my own policy module;
> 2) semanage interface -a -t nginx_http_if_t -r s1:c0.c1023 eth0.
>
> I expect: to see all the processes in system unable to read/write
> packets from eth0 interface.
>
> I actually got: nothing changes - all networking is working as it was
> before changing of interface context.
>
>
> What am I doing/understanding wrong?
Legacy network checks are gone; use peer labeling or secmark instead,
http://paulmoore.livejournal.com/tag/documentation
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: semanage interface has no effect
2014-08-25 13:10 ` Stephen Smalley
@ 2014-08-25 14:00 ` Stepan G. Fedorov
2014-08-25 14:30 ` Paul Moore
0 siblings, 1 reply; 10+ messages in thread
From: Stepan G. Fedorov @ 2014-08-25 14:00 UTC (permalink / raw)
To: Selinux
25.08.2014 17:10, Stephen Smalley пишет:
> Legacy network checks are gone; use peer labeling or secmark instead,
> http://paulmoore.livejournal.com/tag/documentation
Thank you for quick reply!
In case of "just installed" system, where no iptables SECMARK rules
present, and no labeled packets arrive on network interface - what will
be selinux contexts of all incoming packets?
--
Stepan G. Fedorov <StFedorov@gmail.com>
Tel: +7-965-750-91-91
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: semanage interface has no effect
2014-08-25 14:00 ` Stepan G. Fedorov
@ 2014-08-25 14:30 ` Paul Moore
2014-08-25 14:36 ` Stephen Smalley
2014-08-25 14:46 ` Stepan G. Fedorov
0 siblings, 2 replies; 10+ messages in thread
From: Paul Moore @ 2014-08-25 14:30 UTC (permalink / raw)
To: Stepan G. Fedorov; +Cc: Selinux
On Mon, Aug 25, 2014 at 10:00 AM, Stepan G. Fedorov <stfedorov@gmail.com> wrote:
> 25.08.2014 17:10, Stephen Smalley пишет:
>
>> Legacy network checks are gone; use peer labeling or secmark instead,
>> http://paulmoore.livejournal.com/tag/documentation
>
>
> Thank you for quick reply!
>
> In case of "just installed" system, where no iptables SECMARK rules present,
> and no labeled packets arrive on network interface - what will be selinux
> contexts of all incoming packets?
In this case the incoming packets would be labeled "unlabeled_t", just
like any other unlabeled data on the system.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: semanage interface has no effect
2014-08-25 14:30 ` Paul Moore
@ 2014-08-25 14:36 ` Stephen Smalley
2014-08-25 14:57 ` Stepan G. Fedorov
2014-08-25 14:46 ` Stepan G. Fedorov
1 sibling, 1 reply; 10+ messages in thread
From: Stephen Smalley @ 2014-08-25 14:36 UTC (permalink / raw)
To: Paul Moore, Stepan G. Fedorov; +Cc: Selinux
On 08/25/2014 10:30 AM, Paul Moore wrote:
> On Mon, Aug 25, 2014 at 10:00 AM, Stepan G. Fedorov <stfedorov@gmail.com> wrote:
>> 25.08.2014 17:10, Stephen Smalley пишет:
>>
>>> Legacy network checks are gone; use peer labeling or secmark instead,
>>> http://paulmoore.livejournal.com/tag/documentation
>>
>>
>> Thank you for quick reply!
>>
>> In case of "just installed" system, where no iptables SECMARK rules present,
>> and no labeled packets arrive on network interface - what will be selinux
>> contexts of all incoming packets?
>
> In this case the incoming packets would be labeled "unlabeled_t", just
> like any other unlabeled data on the system.
...but the new network permission checks will not be applied
until/unless you configure secmark or labeled networking. Or set the
always_check_network policy capability to 1 for secmark, if your kernel
supports that.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: semanage interface has no effect
2014-08-25 14:30 ` Paul Moore
2014-08-25 14:36 ` Stephen Smalley
@ 2014-08-25 14:46 ` Stepan G. Fedorov
2014-08-25 15:21 ` Stephen Smalley
1 sibling, 1 reply; 10+ messages in thread
From: Stepan G. Fedorov @ 2014-08-25 14:46 UTC (permalink / raw)
To: Paul Moore; +Cc: Selinux
> In this case the incoming packets would be labeled "unlabeled_t", just
> like any other unlabeled data on the system.
Can you, please tell where exactly I can see this in the linux source
code for better understanding?
--
Stepan G. Fedorov <StFedorov@gmail.com>
Tel: +7-965-750-91-91
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: semanage interface has no effect
2014-08-25 14:36 ` Stephen Smalley
@ 2014-08-25 14:57 ` Stepan G. Fedorov
2014-08-25 15:46 ` Christopher J. PeBenito
0 siblings, 1 reply; 10+ messages in thread
From: Stepan G. Fedorov @ 2014-08-25 14:57 UTC (permalink / raw)
To: Stephen Smalley, Paul Moore; +Cc: Selinux
> ...but the new network permission checks will not be applied
> until/unless you configure secmark or labeled networking. Or set the
> always_check_network policy capability to 1 for secmark, if your kernel
> supports that.
Seems I have no such capability. My /sys/fs/selinux/policy_capabilities/
contains only two files:
network_peer_controls
open_perms
--
Stepan G. Fedorov <StFedorov@gmail.com>
Tel: +7-965-750-91-91
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: semanage interface has no effect
2014-08-25 14:46 ` Stepan G. Fedorov
@ 2014-08-25 15:21 ` Stephen Smalley
0 siblings, 0 replies; 10+ messages in thread
From: Stephen Smalley @ 2014-08-25 15:21 UTC (permalink / raw)
To: Stepan G. Fedorov, Paul Moore; +Cc: Selinux
On 08/25/2014 10:46 AM, Stepan G. Fedorov wrote:
>> In this case the incoming packets would be labeled "unlabeled_t", just
>> like any other unlabeled data on the system.
>
> Can you, please tell where exactly I can see this in the linux source
> code for better understanding?
>
secmark or peer label?
secmark label: Unless set by net/netfilter/xt_*SECMARK.c, secmark
should just be zero (cleared upon skb allocation) and thus will be
remapped by security/selinux/ss/sidtab.c:sidtab_search_core() to the
UNLABELED initial SID.
peer label: security/selinux/hooks.c:selinux_skb_peerlbl_sid() asks the
xfrm (ipsec) and netlabel (cipso) subsystems for any labeling
information for the packet and then calls
security/selinux/ss/services.c:security_net_peersid_resolve() to make
the final determination. In the absence of any labeling information,
we'll also end up with SECSID_NULL i.e. 0 and then the sidtab will again
remap it to the UNLABELED initial SID.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: semanage interface has no effect
2014-08-25 14:57 ` Stepan G. Fedorov
@ 2014-08-25 15:46 ` Christopher J. PeBenito
0 siblings, 0 replies; 10+ messages in thread
From: Christopher J. PeBenito @ 2014-08-25 15:46 UTC (permalink / raw)
To: Stepan G. Fedorov, Stephen Smalley, Paul Moore; +Cc: Selinux
On 8/25/2014 10:57 AM, Stepan G. Fedorov wrote:
>
>> ...but the new network permission checks will not be applied
>> until/unless you configure secmark or labeled networking. Or set the
>> always_check_network policy capability to 1 for secmark, if your kernel
>> supports that.
>
> Seems I have no such capability. My /sys/fs/selinux/policy_capabilities/
> contains only two files:
> network_peer_controls
> open_perms
That directory only lists the capabilities that are enabled in the
loaded policy. You need at least a 3.13 kernel and the capability
declared in the policy (in the base module, base.pp). Distributions
will likely never ship with that capability enabled, as it requires
packet (SECMARK) and peer rules throughout the policy.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2014-08-25 15:46 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-08-25 11:11 semanage interface has no effect Stepan G. Fedorov
2014-08-25 12:18 ` Dominick Grift
2014-08-25 13:10 ` Stephen Smalley
2014-08-25 14:00 ` Stepan G. Fedorov
2014-08-25 14:30 ` Paul Moore
2014-08-25 14:36 ` Stephen Smalley
2014-08-25 14:57 ` Stepan G. Fedorov
2014-08-25 15:46 ` Christopher J. PeBenito
2014-08-25 14:46 ` Stepan G. Fedorov
2014-08-25 15:21 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.