semanage interface has no effect

semanage interface has no effect

[Stepan G. Fedorov]

Hello!

Goal of this experiment is to see allow rules for netif class objects is 
working.

I use debian wheezy whith MLS selinux policy, in enforced mode.

eth0 is hte only netwotk interface, except lo.

sesearch --allow -cnetif shows lots of allow rules for netif_t target 
type / netif target class.

I do:
  1) I add new type nginx_http_if_t with my own policy module;
  2) semanage interface -a -t nginx_http_if_t -r s1:c0.c1023 eth0.

I expect: to see all the processes in system unable to read/write 
packets from eth0 interface.

I actually got: nothing changes - all networking is working as it was 
before changing of interface context.


What am I doing/understanding wrong?

Thank you!

-- 
Stepan G. Fedorov <StFedorov@gmail.com>
Tel: +7-965-750-91-91

Re: semanage interface has no effect

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 1337 bytes --]

On Mon, Aug 25, 2014 at 03:11:03PM +0400, Stepan G. Fedorov wrote:
> Hello!
> 
> Goal of this experiment is to see allow rules for netif class objects is
> working.
> 
> I use debian wheezy whith MLS selinux policy, in enforced mode.
> 
> eth0 is hte only netwotk interface, except lo.
> 
> sesearch --allow -cnetif shows lots of allow rules for netif_t target type /
> netif target class.
> 
> I do:
>  1) I add new type nginx_http_if_t with my own policy module;
>  2) semanage interface -a -t nginx_http_if_t -r s1:c0.c1023 eth0.
> 
> I expect: to see all the processes in system unable to read/write packets
> from eth0 interface.
> 
> I actually got: nothing changes - all networking is working as it was before
> changing of interface context.
> 
> 
> What am I doing/understanding wrong?

I suspect that these controls may be legacy (net_compat?)

I may be wrong

> 
> Thank you!
> 
> -- 
> Stepan G. Fedorov <StFedorov@gmail.com>
> Tel: +7-965-750-91-91
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

-- 
http://subkeys.pgp.net:11371/pks/lookup?search=0x02DFF788&op=index
Dominick Grift

[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]

Re: semanage interface has no effect

[Stephen Smalley]

On 08/25/2014 07:11 AM, Stepan G. Fedorov wrote:
> Hello!
> 
> Goal of this experiment is to see allow rules for netif class objects is
> working.
> 
> I use debian wheezy whith MLS selinux policy, in enforced mode.
> 
> eth0 is hte only netwotk interface, except lo.
> 
> sesearch --allow -cnetif shows lots of allow rules for netif_t target
> type / netif target class.
> 
> I do:
>  1) I add new type nginx_http_if_t with my own policy module;
>  2) semanage interface -a -t nginx_http_if_t -r s1:c0.c1023 eth0.
> 
> I expect: to see all the processes in system unable to read/write
> packets from eth0 interface.
> 
> I actually got: nothing changes - all networking is working as it was
> before changing of interface context.
> 
> 
> What am I doing/understanding wrong?

Legacy network checks are gone; use peer labeling or secmark instead,
http://paulmoore.livejournal.com/tag/documentation

Re: semanage interface has no effect

[Stepan G. Fedorov]

25.08.2014 17:10, Stephen Smalley пишет:
> Legacy network checks are gone; use peer labeling or secmark instead, 
> http://paulmoore.livejournal.com/tag/documentation 

Thank you for quick reply!

In case of "just installed" system, where no iptables SECMARK rules 
present, and no labeled packets arrive on network interface - what will 
be selinux contexts of all incoming packets?

-- 
Stepan G. Fedorov <StFedorov@gmail.com>
Tel: +7-965-750-91-91

Re: semanage interface has no effect

[Paul Moore]

On Mon, Aug 25, 2014 at 10:00 AM, Stepan G. Fedorov <stfedorov@gmail.com> wrote:
> 25.08.2014 17:10, Stephen Smalley пишет:
>
>> Legacy network checks are gone; use peer labeling or secmark instead,
>> http://paulmoore.livejournal.com/tag/documentation
>
>
> Thank you for quick reply!
>
> In case of "just installed" system, where no iptables SECMARK rules present,
> and no labeled packets arrive on network interface - what will be selinux
> contexts of all incoming packets?

In this case the incoming packets would be labeled "unlabeled_t", just
like any other unlabeled data on the system.

-- 
paul moore
www.paul-moore.com

Re: semanage interface has no effect

[Stephen Smalley]

On 08/25/2014 10:30 AM, Paul Moore wrote:
> On Mon, Aug 25, 2014 at 10:00 AM, Stepan G. Fedorov <stfedorov@gmail.com> wrote:
>> 25.08.2014 17:10, Stephen Smalley пишет:
>>
>>> Legacy network checks are gone; use peer labeling or secmark instead,
>>> http://paulmoore.livejournal.com/tag/documentation
>>
>>
>> Thank you for quick reply!
>>
>> In case of "just installed" system, where no iptables SECMARK rules present,
>> and no labeled packets arrive on network interface - what will be selinux
>> contexts of all incoming packets?
> 
> In this case the incoming packets would be labeled "unlabeled_t", just
> like any other unlabeled data on the system.

...but the new network permission checks will not be applied
until/unless you configure secmark or labeled networking.  Or set the
always_check_network policy capability to 1 for secmark, if your kernel
supports that.

Re: semanage interface has no effect

[Stepan G. Fedorov]

> In this case the incoming packets would be labeled "unlabeled_t", just 
> like any other unlabeled data on the system. 

Can you, please tell where exactly I can see this in the linux source 
code for better understanding?

-- 
Stepan G. Fedorov <StFedorov@gmail.com>
Tel: +7-965-750-91-91

Re: semanage interface has no effect

[Stepan G. Fedorov]

> ...but the new network permission checks will not be applied
> until/unless you configure secmark or labeled networking.  Or set the
> always_check_network policy capability to 1 for secmark, if your kernel
> supports that.

Seems I have no such capability. My /sys/fs/selinux/policy_capabilities/ 
contains only two files:
network_peer_controls
open_perms


-- 
Stepan G. Fedorov <StFedorov@gmail.com>
Tel: +7-965-750-91-91

Re: semanage interface has no effect

[Stephen Smalley]

On 08/25/2014 10:46 AM, Stepan G. Fedorov wrote:
>> In this case the incoming packets would be labeled "unlabeled_t", just
>> like any other unlabeled data on the system. 
> 
> Can you, please tell where exactly I can see this in the linux source
> code for better understanding?
> 

secmark or peer label?

secmark label:  Unless set by net/netfilter/xt_*SECMARK.c, secmark
should just be zero (cleared upon skb allocation) and thus will be
remapped by security/selinux/ss/sidtab.c:sidtab_search_core() to the
UNLABELED initial SID.

peer label:  security/selinux/hooks.c:selinux_skb_peerlbl_sid() asks the
xfrm (ipsec) and netlabel (cipso) subsystems for any labeling
information for the packet and then calls
security/selinux/ss/services.c:security_net_peersid_resolve() to make
the final determination.  In the absence of any labeling information,
we'll also end up with SECSID_NULL i.e. 0 and then the sidtab will again
remap it to the UNLABELED initial SID.

Re: semanage interface has no effect

[Christopher J. PeBenito]

On 8/25/2014 10:57 AM, Stepan G. Fedorov wrote:
> 
>> ...but the new network permission checks will not be applied
>> until/unless you configure secmark or labeled networking.  Or set the
>> always_check_network policy capability to 1 for secmark, if your kernel
>> supports that.
> 
> Seems I have no such capability. My /sys/fs/selinux/policy_capabilities/
> contains only two files:
> network_peer_controls
> open_perms

That directory only lists the capabilities that are enabled in the
loaded policy.  You need at least a 3.13 kernel and the capability
declared in the policy (in the base module, base.pp).  Distributions
will likely never ship with that capability enabled, as it requires
packet (SECMARK) and peer rules throughout the policy.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com