Howto transition socket

Howto transition socket

[Martin Christian]

Hi,

excuse this very basic question: How can I define a transition for a socket?

Let's assume I've got a process p with label u_t, denoted as p:u_t. The
process opens a listening tcp socket s on port 80 (e. g. nc -l -p 80).
As far as I understood, s would get the label from the process: s:u_t.
However, I would like the socket to have label o_t. Hence, I define a
transition:

(u, u) -> o

or in policy syntax;

type_transition u_t u_t:tcp_socket o_t;

But this doesn't seem to work. Any ideas?

Regards,

Martin.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Howto transition socket

[HarryCiao]

[-- Attachment #1.1: Type: text/plain, Size: 1908 bytes --]


Hi Martin,

> Date: Mon, 1 Aug 2011 17:45:48 +0200
> From: martin.christian@secunet.com
> To: selinux@tycho.nsa.gov
> Subject: Howto transition socket
> 
> Hi,
> 
> excuse this very basic question: How can I define a transition for a socket?
> 
> Let's assume I've got a process p with label u_t, denoted as p:u_t. The
> process opens a listening tcp socket s on port 80 (e. g. nc -l -p 80).
> As far as I understood, s would get the label from the process: s:u_t.
> However, I would like the socket to have label o_t. Hence, I define a
> transition:
> 
> (u, u) -> o
> 
> or in policy syntax;
> 
> type_transition u_t u_t:tcp_socket o_t;

Generally speaking, the type_transition rule for socket so that it would have a separate type than its creator works like this. However, other than this type_transition rule, you would also have to grant other necessary allow rules so that the creator could create and use this new socket type, such as:

allow u_t o_t : tcp_socket { create_socket_perms, sendto, .... };

and have the process role able to type with this socket type:

role <process's role> types o_t;

Then you could verify the socket type by the compute_create command, see below example.

I have attached my refpolicy patch to have the unix_dgram_socket created by syslogd_t to be labeled as syslogd_s_t, hope that helps :-)

Cheers,
Harry





	
	
	
	

     
[root/sysadm_r/s0@~]#
compute_create system_u:system_r:syslogd_t:s15:c0.c1023    
system_u:system_r:syslogd_t:s15:c0.c1023 unix_dgram_socket 

     
system_u:system_r:syslogd_s_t:s15:c0.c1023


     
[root/sysadm_r/s0@~]#


> 
> But this doesn't seem to work. Any ideas?
> 
> Regards,
> 
> Martin.
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
 		 	   		  

[-- Attachment #1.2: Type: text/html, Size: 2896 bytes --]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: separate_sock_for_syslogd_t.patch --]
[-- Type: text/x-patch, Size: 3454 bytes --]

commit 36505160dc1274e2bec2fbb854a39b8d2891d08c
Author: Harry Ciao <qingtao.cao@windriver.com>
Date:   Thu Feb 24 16:23:42 2011 +0800

    Specify a separate socket type for syslogd_t.
    
    Use a type_transition rule to specify a separate type for unix_dgram_socket
    object created by syslogd_t, so that the socket type alone could be added
    to the mlstrustedobject attrbute to avoid below error message:
    
    type=1400 audit(1298535101.654:868): avc:  denied  { sendto } for  pid=385 comm="klogd" path="/dev/log" scontext=system_u:object_r:klogd_t:s0 tcontext=system_u:object_r:syslogd_t:s15:c0.c1023 tclass=unix_dgram_socket
    
    This helps to avoid adding syslogd_t to this attribute which also is the
    label for all syslogd's procfs contents.
    
    BTW, in SELinux kernel driver the security_transition_sid() should be
    called to query above type_transition rule for the newly created socket,
    which will retain the same user, role and MLS attribute as its creator.

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 831b909..0cab32c 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -525,14 +525,14 @@ interface(`logging_log_filetrans',`
 #
 interface(`logging_send_syslog_msg',`
 	gen_require(`
-		type syslogd_t, devlog_t;
+		type syslogd_t, syslogd_s_t, devlog_t;
 	')
 
 	allow $1 devlog_t:lnk_file read_lnk_file_perms;
 	allow $1 devlog_t:sock_file write_sock_file_perms;
 
 	# the type of socket depends on the syslog daemon
-	allow $1 syslogd_t:unix_dgram_socket sendto;
+	allow $1 syslogd_s_t:unix_dgram_socket sendto;
 	allow $1 syslogd_t:unix_stream_socket connectto;
 	allow $1 self:unix_dgram_socket create_socket_perms;
 	allow $1 self:unix_stream_socket create_socket_perms;
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index b6ec597..6804dcf 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -65,6 +65,13 @@ type syslogd_t;
 type syslogd_exec_t;
 init_daemon_domain(syslogd_t, syslogd_exec_t)
 
+# PF_UNIX socket created by syslogd.
+# Any socket will retain the same user, role and MLS attribute as
+# its creator, thus the creator's role needs to type the socket type.
+type syslogd_s_t;
+role system_r types syslogd_s_t;
+mls_trusted_object(syslogd_s_t)
+
 type syslogd_initrc_exec_t;
 init_script_file(syslogd_initrc_exec_t)
 
@@ -360,15 +367,18 @@ dontaudit syslogd_t self:capability sys_tty_config;
 # setrlimit for syslog-ng
 allow syslogd_t self:process { signal_perms setpgid setrlimit };
 # receive messages to be logged
-allow syslogd_t self:unix_dgram_socket create_socket_perms;
+allow syslogd_t syslogd_s_t:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-allow syslogd_t self:unix_dgram_socket sendto;
+allow syslogd_t syslogd_s_t:unix_dgram_socket sendto;
 allow syslogd_t self:fifo_file rw_fifo_file_perms;
 allow syslogd_t self:udp_socket create_socket_perms;
 allow syslogd_t self:tcp_socket create_stream_socket_perms;
 
 allow syslogd_t syslog_conf_t:file read_file_perms;
 
+# PF_UNIX dgram socket created by syslogd_t labeled as syslogd_s_t
+type_transition syslogd_t syslogd_t:unix_dgram_socket syslogd_s_t;
+
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
 files_pid_filetrans(syslogd_t, devlog_t, sock_file)

Re: Howto transition socket

[Stephen Smalley]

On Mon, 2011-08-01 at 17:45 +0200, Martin Christian wrote:
> Hi,
> 
> excuse this very basic question: How can I define a transition for a socket?
> 
> Let's assume I've got a process p with label u_t, denoted as p:u_t. The
> process opens a listening tcp socket s on port 80 (e. g. nc -l -p 80).
> As far as I understood, s would get the label from the process: s:u_t.
> However, I would like the socket to have label o_t. Hence, I define a
> transition:
> 
> (u, u) -> o
> 
> or in policy syntax;
> 
> type_transition u_t u_t:tcp_socket o_t;
> 
> But this doesn't seem to work. Any ideas?
> 

Kernel version?  Support for type transitions on sockets was first
introduced in kernel 2.6.39.  Older kernels would always label sockets
with their creator's context or with the context specified by the
application using setsockcreatecon(3) from libselinux.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Howto transition socket

[Martin Christian]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That explains why RongQings patch doesn't work for me. I'm still using
kernel 2.6.38. With RongQings patch I can see all the sockets always
have the label of the process, even with active type transition. So the
patch is not broken, but the kernel doesn't support it, yet.

Thanks,

Martin.


Am 04.08.2011 14:30, schrieb Stephen Smalley:
> On Mon, 2011-08-01 at 17:45 +0200, Martin Christian wrote:
>> Hi,
>>
>> excuse this very basic question: How can I define a transition for a socket?
>>
>> Let's assume I've got a process p with label u_t, denoted as p:u_t. The
>> process opens a listening tcp socket s on port 80 (e. g. nc -l -p 80).
>> As far as I understood, s would get the label from the process: s:u_t.
>> However, I would like the socket to have label o_t. Hence, I define a
>> transition:
>>
>> (u, u) -> o
>>
>> or in policy syntax;
>>
>> type_transition u_t u_t:tcp_socket o_t;
>>
>> But this doesn't seem to work. Any ideas?
>>
> 
> Kernel version?  Support for type transitions on sockets was first
> introduced in kernel 2.6.39.  Older kernels would always label sockets
> with their creator's context or with the context specified by the
> application using setsockcreatecon(3) from libselinux.
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOOplmAAoJEGpTkDITRjmogmwIALgXSLxICmXof/lnCD/e8F6n
vDe5Mb+pgwLlw3ONIHB/oGID7GvuddRLVjMDiANitzCFu6ZtfhGVuZhPFGolA7OT
MuaZPWcY1gIESjfbv0HHFLXX5Ufh6TlRVVsuu6VpOTZWuoEuoFWvMBLktkhao3um
NeTQdK1UlYqb4NLLtGuR+z/VblwvdIVMb/+oWIfNJ4MSr1Rh/WrWHOGWXZpXKJiX
eQ8mZFkcx3esYggPNuM+axw7ZOCC0ZP599K70oP5S4lKoOXUYzOg6xDBTLkPiR4+
c+0FKpypZOr6voCLIFFSkPcXIyvS0iRh9M08DIC80mbIcs98QjG3UkGakgY9960=
=DFHQ
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.