* [PATCH v2] Improve network_support.md @ 2020-07-27 13:04 Topi Miettinen 2020-07-27 13:57 ` Dominick Grift 2020-07-28 2:44 ` Paul Moore 0 siblings, 2 replies; 14+ messages in thread From: Topi Miettinen @ 2020-07-27 13:04 UTC (permalink / raw) To: selinux; +Cc: Topi Miettinen List all access control methods available for networking and provide examples for each. Signed-off-by: Topi Miettinen <toiwoton@gmail.com> --- v2: address comments from Richard Haines --- src/network_statements.md | 2 +- src/network_support.md | 170 +++++++++++++++++++++++++++++++++----- 2 files changed, 150 insertions(+), 22 deletions(-) diff --git a/src/network_statements.md b/src/network_statements.md index ef1c873..357c3b1 100644 --- a/src/network_statements.md +++ b/src/network_statements.md @@ -102,7 +102,7 @@ the interface to a security context. <tr> <td><code>packet_context</code></td> <td><p>The security context allocated packets. Note that these are defined but unused.</p> -<p>The iptables(8)/nftables(8) <a href="network_support.md#secmark">SECMARK services</a> should be used to label packets.</p></td> +<p>The iptables(8)/nftables(8) <a href="network_support.md#internal-labeling-secmark">SECMARK services</a> should be used to label packets.</p></td> </tr> </tbody> </table> diff --git a/src/network_support.md b/src/network_support.md index 309e863..6f9896b 100644 --- a/src/network_support.md +++ b/src/network_support.md @@ -1,20 +1,17 @@ # SELinux Networking Support -SELinux supports the following types of network labeling: +SELinux supports several methods for access control of networks. These are -**Internal labeling** - This is where network objects are labeled and -managed internally within a single machine (i.e. their labels are not -transmitted as part of the session with remote systems). There are two -types supported: SECMARK and NetLabel. There was a service known as -'compat_net' controls, however that was removed in kernel 2.6.30. +* Packet labeling: class `packet` +* Peer labeling: class `peer` +* Interface control: class `netif` +* Network node control: class `node` +* TCP/UDP/SCTP/DCCP ports: class `port` -**Labeled Networking** - This is where labels are passed to/from remote -systems where they can be interpreted and a MAC policy enforced on each -system. There are three types supported: Labeled IPSec, CIPSO -(Commercial IP Security Option) and CALIPSO (Common Architecture Label -IPv6 Security Option) +Networking support is not enabled by default. It can be enabled either +the policy capabilities or by loading SECMARK rules. -There are two policy capability options that can be set within policy +There are three policy capability options that can be set within policy using the `policycap` statement that affect networking configuration: **`network_peer_controls`** - This is always enabled in the latest @@ -37,8 +34,22 @@ The policy capability settings are available in userspace via the SELinux filesystem as shown in the [**SELinux Filesystem**](lsm_selinux.md#selinux-filesystem) section. -To support peer labeling, CIPSO and CALIPSO the NetLabel tools need to -be installed: +SELinux supports the following types of network labeling: + +**Internal labeling** - This is where network objects are labeled and +managed internally within a single machine (i.e. their labels are not +transmitted as part of the session with remote systems). There are two +types supported: SECMARK and NetLabel. There was a service known as +'compat_net' controls, however that was removed in kernel 2.6.30. + +**Labeled Networking** - This is where labels are passed to/from remote +systems where they can be interpreted and a MAC policy enforced on each +system. There are three types supported: Labeled IPSec, CIPSO +(Commercial IP Security Option) and CALIPSO (Common Architecture Label +IPv6 Security Option). + +To support peer labeling with CIPSO and CALIPSO or fallback labeling, +the NetLabel tools need to be installed: `dnf install netlabel_tools` @@ -52,8 +63,12 @@ OpenSwan but is now distributed as LibreSwan: `dnf install libreswan` It is important to note that the kernel must be configured to support -these services. The Fedora kernels are configured to handle all the above -services. +these services (`CONFIG_NETLABEL`, `CONFIG_NETWORK_SECMARK`, +`CONFIG_NF_CONNTRACK_SECMARK`, +`CONFIG_NETFILTER_XT_TARGET_CONNSECMARK`, +`CONFIG_NETFILTER_XT_TARGET_SECMARK`, `CONFIG_IP_NF_SECURITY`, +`CONFIG_IP6_NF_SECURITY`). At least Fedora and Debian kernels are +configured to handle all the above services. The Linux networking package *iproute* has an SELinux aware socket statistics command ***ss**(8)* that will show the SELinux context of @@ -65,7 +80,7 @@ to achieve this). <br> -## SECMARK +## Internal labeling: SECMARK SECMARK makes use of the standard kernel NetFilter framework that underpins the GNU / Linux IP networking sub-system. NetFilter services @@ -73,7 +88,7 @@ automatically inspects all incoming and outgoing packets and can place controls on interfaces, IP addresses (nodes) and ports with the added advantage of connection tracking. The SECMARK security extensions allow security contexts to be added to packets (SECMARK) or sessions -(CONNSECMARK). +(CONNSECMARK), belonging to object class of `packet`. The NetFilter framework inspects and tag packets with labels as defined within ***iptables**(8)* (also 'nftables' ***nft**(8)* from version 9.3 with @@ -172,6 +187,16 @@ table ip6 security { } ``` +Before the SECMARK rules can be loaded, TE rules must be added to +define the types, and also allow domains to send and/or receive +objects of `packet` class: + +``` +type test_server_packet_t, packet_type; + +allow my_server_t test_server_packet_t:packet { send recv }; +``` + The following articles explain the SECMARK service: - [*Transitioning to Secmark*](http://paulmoore.livejournal.com/4281.html) - [New secmark-based network controls for SELinux](http://james-morris.livejournal.com/11010.html) @@ -179,7 +204,7 @@ The following articles explain the SECMARK service: <br> -## NetLabel - Fallback Peer Labeling +## Internal labeling: NetLabel - Fallback Peer Labeling Fallback labeling can optionally be implemented on a system if the Labeled IPSec or CIPSO/CALIPSO is not being used (hence 'fallback @@ -217,9 +242,20 @@ netlabelctl -p map list Note that the security contexts must be valid in the policy otherwise the commands will fail. +Before the NetLabel rules can be loaded, TE rules must be added to +define the types. Then the rules can allow domains to receive data +from objects of `peer` class: + +``` +type netlabel_sctp_peer_t; + +allow my_server_t netlabel_sctp_peer_t:peer recv; +``` +Note that sending can't be controlled with `peer` class. + <br> -## NetLabel – CIPSO/CALIPSO +## Labeled Networking: NetLabel – CIPSO/CALIPSO To allow MLS [**security levels**](mls_mcs.md#security-levels) to be passed over a network between MLS @@ -288,7 +324,7 @@ section, plus the standard Fedora 'targeted' policy for the tests. <br> -## Labeled IPSec +## Labeled Networking: Labeled IPSec Labeled IPSec has been built into the standard GNU / Linux IPSec services as described in the @@ -451,6 +487,98 @@ The *selinux-testsuite tools/nfs.sh* tests labeled NFS using various labels. <br> +## Access Control for Network Interfaces + +SELinux domains can be restricted to use only specific network +interfaces. TE rules must define the interface types and then allow a +domain to `egress` in class `netif` for the defined interface types: + +``` +require { + attribute netif_type; +} + +type external_if_t, netif_type; +type loopback_if_t, netif_type; + +allow my_server_t external_if_t:netif egress; +allow my_server_t loopback_if_t:netif egress; +``` + +The interfaces must also be labeled with ***semanage**(8)* (or by +using `netifcon` statements in the policy): +``` +semanage interface -a -t loopback_if_t -r s0 lo +semanage interface -a -t external_if_t -r s0 eth0 +``` + +Note that reception can't be controlled with `netif` class. + +<br> + +## Access Control for Network Nodes + +Domains can be restricted by SELinux to access and bind sockets to +only dedicated network nodes (in practice, IP addresses). + +The node types must be defined and then the node types can be used for +TE rules as target context. TE rules to allow a domain to `sendto` for +class `node` and to `node_bind` (for incoming connections) for class +`tcp_socket`: + +``` +require { + attribute node_type; +} + +type loopback_node_t, node_type; +type internet_node_t, node_type; +type link_local_node_t, node_type; +type multicast_node_t, node_type; + +allow my_server_t loopback_node_t:node sendto; +allow my_server_t loopback_node_t:tcp_socket node_bind; +allow my_server_t internet_node_t:node sendto; +``` + +After the types have been defined, corresponding node rules can be +added with `semanage` (or `nodecon` statements): +``` +semanage node -a -M /128 -p ipv6 -t loopback_node_t -r s0 ::1 +semanage node -a -M /3 -p ipv6 -t internet_node_t -r s0 2000:: +semanage node -a -M /8 -p ipv6 -t link_local_node_t -r s0 fe00:: +semanage node -a -M /8 -p ipv6 -t multicast_node_t -r s0 ff00:: +``` + +<br> + +## Access Control for Network Ports + +SELinux policy can also control access to ports used by various +networking protocols such as TCP, UDP, SCTP and DCCP. TE rules must +define the port types and then allow a domain to `name_connect` +(outgoing) or `name_bind` (incoming) in class `tcp_socket` (or +`udp_socket` etc) for the defined port types: + +``` +require { + attribute port_type; +} + +type my_server_port_t, port_type; + +allow my_server_t my_server_port_t:tcp_socket name_connect; +allow my_server_t my_server_port_t:tcp_socket name_bind; +``` + +The ports must also be labeled with `semanage` (or `portcon` +statements): +``` +semanage port -a -t my_server_port_t -p tcp -r s0 12345 +``` + +<br> + <section class="footnotes"> <ol> <li id="fnn1"><p>For example, an ftp session where the server is listening on a specific port (the destination port) but the client will be assigned a random source port. The CONNSECMARK will ensure that all packets for the ftp session are marked with the same label.<a href="#fnnet1" class="footnote-back">↩</a></p></li> -- 2.27.0 ^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH v2] Improve network_support.md 2020-07-27 13:04 [PATCH v2] Improve network_support.md Topi Miettinen @ 2020-07-27 13:57 ` Dominick Grift 2020-07-27 15:21 ` Topi Miettinen 2020-07-28 2:49 ` Paul Moore 2020-07-28 2:44 ` Paul Moore 1 sibling, 2 replies; 14+ messages in thread From: Dominick Grift @ 2020-07-27 13:57 UTC (permalink / raw) To: Topi Miettinen; +Cc: selinux Topi Miettinen <toiwoton@gmail.com> writes: > List all access control methods available for networking and provide > examples for each. > > Signed-off-by: Topi Miettinen <toiwoton@gmail.com> > > --- > v2: address comments from Richard Haines > --- > src/network_statements.md | 2 +- > src/network_support.md | 170 +++++++++++++++++++++++++++++++++----- > 2 files changed, 150 insertions(+), 22 deletions(-) > > diff --git a/src/network_statements.md b/src/network_statements.md > index ef1c873..357c3b1 100644 > --- a/src/network_statements.md > +++ b/src/network_statements.md > @@ -102,7 +102,7 @@ the interface to a security context. > <tr> > <td><code>packet_context</code></td> > <td><p>The security context allocated packets. Note that these are defined but unused.</p> > -<p>The iptables(8)/nftables(8) <a href="network_support.md#secmark">SECMARK services</a> should be used to label packets.</p></td> > +<p>The iptables(8)/nftables(8) <a > href="network_support.md#internal-labeling-secmark">SECMARK > services</a> should be used to label packets.</p></td> > </tr> > </tbody> > </table> > diff --git a/src/network_support.md b/src/network_support.md > index 309e863..6f9896b 100644 > --- a/src/network_support.md > +++ b/src/network_support.md > @@ -1,20 +1,17 @@ > # SELinux Networking Support > > -SELinux supports the following types of network labeling: > +SELinux supports several methods for access control of networks. These are > > -**Internal labeling** - This is where network objects are labeled and > -managed internally within a single machine (i.e. their labels are not > -transmitted as part of the session with remote systems). There are two > -types supported: SECMARK and NetLabel. There was a service known as > -'compat_net' controls, however that was removed in kernel 2.6.30. > +* Packet labeling: class `packet` > +* Peer labeling: class `peer` > +* Interface control: class `netif` > +* Network node control: class `node` > +* TCP/UDP/SCTP/DCCP ports: class `port` > > -**Labeled Networking** - This is where labels are passed to/from remote > -systems where they can be interpreted and a MAC policy enforced on each > -system. There are three types supported: Labeled IPSec, CIPSO > -(Commercial IP Security Option) and CALIPSO (Common Architecture Label > -IPv6 Security Option) > +Networking support is not enabled by default. It can be enabled either > +the policy capabilities or by loading SECMARK rules. > > -There are two policy capability options that can be set within policy > +There are three policy capability options that can be set within policy > using the `policycap` statement that affect networking configuration: > > **`network_peer_controls`** - This is always enabled in the latest > @@ -37,8 +34,22 @@ The policy capability settings are available in userspace via the > SELinux filesystem as shown in the > [**SELinux Filesystem**](lsm_selinux.md#selinux-filesystem) section. > > -To support peer labeling, CIPSO and CALIPSO the NetLabel tools need to > -be installed: > +SELinux supports the following types of network labeling: > + > +**Internal labeling** - This is where network objects are labeled and > +managed internally within a single machine (i.e. their labels are not > +transmitted as part of the session with remote systems). There are two > +types supported: SECMARK and NetLabel. There was a service known as > +'compat_net' controls, however that was removed in kernel 2.6.30. > + > +**Labeled Networking** - This is where labels are passed to/from remote > +systems where they can be interpreted and a MAC policy enforced on each > +system. There are three types supported: Labeled IPSec, CIPSO > +(Commercial IP Security Option) and CALIPSO (Common Architecture Label > +IPv6 Security Option). > + > +To support peer labeling with CIPSO and CALIPSO or fallback labeling, > +the NetLabel tools need to be installed: > > `dnf install netlabel_tools` > > @@ -52,8 +63,12 @@ OpenSwan but is now distributed as LibreSwan: > `dnf install libreswan` > > It is important to note that the kernel must be configured to support > -these services. The Fedora kernels are configured to handle all the above > -services. > +these services (`CONFIG_NETLABEL`, `CONFIG_NETWORK_SECMARK`, > +`CONFIG_NF_CONNTRACK_SECMARK`, > +`CONFIG_NETFILTER_XT_TARGET_CONNSECMARK`, > +`CONFIG_NETFILTER_XT_TARGET_SECMARK`, `CONFIG_IP_NF_SECURITY`, > +`CONFIG_IP6_NF_SECURITY`). At least Fedora and Debian kernels are > +configured to handle all the above services. > > The Linux networking package *iproute* has an SELinux aware socket > statistics command ***ss**(8)* that will show the SELinux context of > @@ -65,7 +80,7 @@ to achieve this). > > <br> > > -## SECMARK > +## Internal labeling: SECMARK > > SECMARK makes use of the standard kernel NetFilter framework that > underpins the GNU / Linux IP networking sub-system. NetFilter services > @@ -73,7 +88,7 @@ automatically inspects all incoming and outgoing packets and can place > controls on interfaces, IP addresses (nodes) and ports with the added > advantage of connection tracking. The SECMARK security extensions allow > security contexts to be added to packets (SECMARK) or sessions > -(CONNSECMARK). > +(CONNSECMARK), belonging to object class of `packet`. > > The NetFilter framework inspects and tag packets with labels as defined > within ***iptables**(8)* (also 'nftables' ***nft**(8)* from version 9.3 with > @@ -172,6 +187,16 @@ table ip6 security { > } > ``` > > +Before the SECMARK rules can be loaded, TE rules must be added to > +define the types, and also allow domains to send and/or receive > +objects of `packet` class: > + > +``` > +type test_server_packet_t, packet_type; > + > +allow my_server_t test_server_packet_t:packet { send recv }; > +``` > + > The following articles explain the SECMARK service: > - [*Transitioning to Secmark*](http://paulmoore.livejournal.com/4281.html) > - [New secmark-based network controls for SELinux](http://james-morris.livejournal.com/11010.html) > @@ -179,7 +204,7 @@ The following articles explain the SECMARK service: > > <br> > > -## NetLabel - Fallback Peer Labeling > +## Internal labeling: NetLabel - Fallback Peer Labeling > > Fallback labeling can optionally be implemented on a system if the > Labeled IPSec or CIPSO/CALIPSO is not being used (hence 'fallback > @@ -217,9 +242,20 @@ netlabelctl -p map list > Note that the security contexts must be valid in the policy otherwise the > commands will fail. > > +Before the NetLabel rules can be loaded, TE rules must be added to > +define the types. Then the rules can allow domains to receive data > +from objects of `peer` class: > + > +``` > +type netlabel_sctp_peer_t; > + > +allow my_server_t netlabel_sctp_peer_t:peer recv; > +``` > +Note that sending can't be controlled with `peer` class. > + > <br> > > -## NetLabel – CIPSO/CALIPSO > +## Labeled Networking: NetLabel – CIPSO/CALIPSO > > To allow MLS [**security levels**](mls_mcs.md#security-levels) to be passed > over a network between MLS > @@ -288,7 +324,7 @@ section, plus the standard Fedora 'targeted' policy for the tests. > > <br> > > -## Labeled IPSec > +## Labeled Networking: Labeled IPSec > > Labeled IPSec has been built into the standard GNU / Linux IPSec > services as described in the > @@ -451,6 +487,98 @@ The *selinux-testsuite tools/nfs.sh* tests labeled NFS using various labels. > > <br> > > +## Access Control for Network Interfaces > + > +SELinux domains can be restricted to use only specific network > +interfaces. TE rules must define the interface types and then allow a > +domain to `egress` in class `netif` for the defined interface types: > + > +``` > +require { > + attribute netif_type; > +} > + > +type external_if_t, netif_type; > +type loopback_if_t, netif_type; > + > +allow my_server_t external_if_t:netif egress; > +allow my_server_t loopback_if_t:netif egress; > +``` > + > +The interfaces must also be labeled with ***semanage**(8)* (or by > +using `netifcon` statements in the policy): > +``` > +semanage interface -a -t loopback_if_t -r s0 lo > +semanage interface -a -t external_if_t -r s0 eth0 > +``` > + > +Note that reception can't be controlled with `netif` class. Probably nothing but I did not understand this: Is reception not controlled with the netif ingress permission? > + > +<br> > + > +## Access Control for Network Nodes > + > +Domains can be restricted by SELinux to access and bind sockets to > +only dedicated network nodes (in practice, IP addresses). > + > +The node types must be defined and then the node types can be used for > +TE rules as target context. TE rules to allow a domain to `sendto` for > +class `node` and to `node_bind` (for incoming connections) for class > +`tcp_socket`: > + > +``` > +require { > + attribute node_type; > +} > + > +type loopback_node_t, node_type; > +type internet_node_t, node_type; > +type link_local_node_t, node_type; > +type multicast_node_t, node_type; > + > +allow my_server_t loopback_node_t:node sendto; > +allow my_server_t loopback_node_t:tcp_socket node_bind; > +allow my_server_t internet_node_t:node sendto; > +``` > + > +After the types have been defined, corresponding node rules can be > +added with `semanage` (or `nodecon` statements): > +``` > +semanage node -a -M /128 -p ipv6 -t loopback_node_t -r s0 ::1 > +semanage node -a -M /3 -p ipv6 -t internet_node_t -r s0 2000:: > +semanage node -a -M /8 -p ipv6 -t link_local_node_t -r s0 fe00:: > +semanage node -a -M /8 -p ipv6 -t multicast_node_t -r s0 ff00:: > +``` > + > +<br> > + > +## Access Control for Network Ports > + > +SELinux policy can also control access to ports used by various > +networking protocols such as TCP, UDP, SCTP and DCCP. TE rules must > +define the port types and then allow a domain to `name_connect` > +(outgoing) or `name_bind` (incoming) in class `tcp_socket` (or > +`udp_socket` etc) for the defined port types: > + > +``` > +require { > + attribute port_type; > +} > + > +type my_server_port_t, port_type; > + > +allow my_server_t my_server_port_t:tcp_socket name_connect; > +allow my_server_t my_server_port_t:tcp_socket name_bind; > +``` > + > +The ports must also be labeled with `semanage` (or `portcon` > +statements): > +``` > +semanage port -a -t my_server_port_t -p tcp -r s0 12345 > +``` > + > +<br> > + > <section class="footnotes"> > <ol> > <li id="fnn1"><p>For example, an ftp session where the server is > listening on a specific port (the destination port) but the client > will be assigned a random source port. The CONNSECMARK will ensure > that all packets for the ftp session are marked with the same label.<a > href="#fnnet1" class="footnote-back">↩</a></p></li> -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] Improve network_support.md 2020-07-27 13:57 ` Dominick Grift @ 2020-07-27 15:21 ` Topi Miettinen 2020-07-27 15:39 ` Dominick Grift 2020-07-28 2:49 ` Paul Moore 1 sibling, 1 reply; 14+ messages in thread From: Topi Miettinen @ 2020-07-27 15:21 UTC (permalink / raw) To: Dominick Grift; +Cc: selinux On 27.7.2020 16.57, Dominick Grift wrote: > Topi Miettinen <toiwoton@gmail.com> writes: > >> List all access control methods available for networking and provide >> examples for each. >> >> Signed-off-by: Topi Miettinen <toiwoton@gmail.com> >> >> --- >> v2: address comments from Richard Haines >> --- >> src/network_statements.md | 2 +- >> src/network_support.md | 170 +++++++++++++++++++++++++++++++++----- >> 2 files changed, 150 insertions(+), 22 deletions(-) >> >> diff --git a/src/network_statements.md b/src/network_statements.md >> index ef1c873..357c3b1 100644 >> --- a/src/network_statements.md >> +++ b/src/network_statements.md >> @@ -102,7 +102,7 @@ the interface to a security context. >> <tr> >> <td><code>packet_context</code></td> >> <td><p>The security context allocated packets. Note that these are defined but unused.</p> >> -<p>The iptables(8)/nftables(8) <a href="network_support.md#secmark">SECMARK services</a> should be used to label packets.</p></td> >> +<p>The iptables(8)/nftables(8) <a >> href="network_support.md#internal-labeling-secmark">SECMARK >> services</a> should be used to label packets.</p></td> >> </tr> >> </tbody> >> </table> >> diff --git a/src/network_support.md b/src/network_support.md >> index 309e863..6f9896b 100644 >> --- a/src/network_support.md >> +++ b/src/network_support.md >> @@ -1,20 +1,17 @@ >> # SELinux Networking Support >> >> -SELinux supports the following types of network labeling: >> +SELinux supports several methods for access control of networks. These are >> >> -**Internal labeling** - This is where network objects are labeled and >> -managed internally within a single machine (i.e. their labels are not >> -transmitted as part of the session with remote systems). There are two >> -types supported: SECMARK and NetLabel. There was a service known as >> -'compat_net' controls, however that was removed in kernel 2.6.30. >> +* Packet labeling: class `packet` >> +* Peer labeling: class `peer` >> +* Interface control: class `netif` >> +* Network node control: class `node` >> +* TCP/UDP/SCTP/DCCP ports: class `port` >> >> -**Labeled Networking** - This is where labels are passed to/from remote >> -systems where they can be interpreted and a MAC policy enforced on each >> -system. There are three types supported: Labeled IPSec, CIPSO >> -(Commercial IP Security Option) and CALIPSO (Common Architecture Label >> -IPv6 Security Option) >> +Networking support is not enabled by default. It can be enabled either >> +the policy capabilities or by loading SECMARK rules. >> >> -There are two policy capability options that can be set within policy >> +There are three policy capability options that can be set within policy >> using the `policycap` statement that affect networking configuration: >> >> **`network_peer_controls`** - This is always enabled in the latest >> @@ -37,8 +34,22 @@ The policy capability settings are available in userspace via the >> SELinux filesystem as shown in the >> [**SELinux Filesystem**](lsm_selinux.md#selinux-filesystem) section. >> >> -To support peer labeling, CIPSO and CALIPSO the NetLabel tools need to >> -be installed: >> +SELinux supports the following types of network labeling: >> + >> +**Internal labeling** - This is where network objects are labeled and >> +managed internally within a single machine (i.e. their labels are not >> +transmitted as part of the session with remote systems). There are two >> +types supported: SECMARK and NetLabel. There was a service known as >> +'compat_net' controls, however that was removed in kernel 2.6.30. >> + >> +**Labeled Networking** - This is where labels are passed to/from remote >> +systems where they can be interpreted and a MAC policy enforced on each >> +system. There are three types supported: Labeled IPSec, CIPSO >> +(Commercial IP Security Option) and CALIPSO (Common Architecture Label >> +IPv6 Security Option). >> + >> +To support peer labeling with CIPSO and CALIPSO or fallback labeling, >> +the NetLabel tools need to be installed: >> >> `dnf install netlabel_tools` >> >> @@ -52,8 +63,12 @@ OpenSwan but is now distributed as LibreSwan: >> `dnf install libreswan` >> >> It is important to note that the kernel must be configured to support >> -these services. The Fedora kernels are configured to handle all the above >> -services. >> +these services (`CONFIG_NETLABEL`, `CONFIG_NETWORK_SECMARK`, >> +`CONFIG_NF_CONNTRACK_SECMARK`, >> +`CONFIG_NETFILTER_XT_TARGET_CONNSECMARK`, >> +`CONFIG_NETFILTER_XT_TARGET_SECMARK`, `CONFIG_IP_NF_SECURITY`, >> +`CONFIG_IP6_NF_SECURITY`). At least Fedora and Debian kernels are >> +configured to handle all the above services. >> >> The Linux networking package *iproute* has an SELinux aware socket >> statistics command ***ss**(8)* that will show the SELinux context of >> @@ -65,7 +80,7 @@ to achieve this). >> >> <br> >> >> -## SECMARK >> +## Internal labeling: SECMARK >> >> SECMARK makes use of the standard kernel NetFilter framework that >> underpins the GNU / Linux IP networking sub-system. NetFilter services >> @@ -73,7 +88,7 @@ automatically inspects all incoming and outgoing packets and can place >> controls on interfaces, IP addresses (nodes) and ports with the added >> advantage of connection tracking. The SECMARK security extensions allow >> security contexts to be added to packets (SECMARK) or sessions >> -(CONNSECMARK). >> +(CONNSECMARK), belonging to object class of `packet`. >> >> The NetFilter framework inspects and tag packets with labels as defined >> within ***iptables**(8)* (also 'nftables' ***nft**(8)* from version 9.3 with >> @@ -172,6 +187,16 @@ table ip6 security { >> } >> ``` >> >> +Before the SECMARK rules can be loaded, TE rules must be added to >> +define the types, and also allow domains to send and/or receive >> +objects of `packet` class: >> + >> +``` >> +type test_server_packet_t, packet_type; >> + >> +allow my_server_t test_server_packet_t:packet { send recv }; >> +``` >> + >> The following articles explain the SECMARK service: >> - [*Transitioning to Secmark*](http://paulmoore.livejournal.com/4281.html) >> - [New secmark-based network controls for SELinux](http://james-morris.livejournal.com/11010.html) >> @@ -179,7 +204,7 @@ The following articles explain the SECMARK service: >> >> <br> >> >> -## NetLabel - Fallback Peer Labeling >> +## Internal labeling: NetLabel - Fallback Peer Labeling >> >> Fallback labeling can optionally be implemented on a system if the >> Labeled IPSec or CIPSO/CALIPSO is not being used (hence 'fallback >> @@ -217,9 +242,20 @@ netlabelctl -p map list >> Note that the security contexts must be valid in the policy otherwise the >> commands will fail. >> >> +Before the NetLabel rules can be loaded, TE rules must be added to >> +define the types. Then the rules can allow domains to receive data >> +from objects of `peer` class: >> + >> +``` >> +type netlabel_sctp_peer_t; >> + >> +allow my_server_t netlabel_sctp_peer_t:peer recv; >> +``` >> +Note that sending can't be controlled with `peer` class. >> + >> <br> >> >> -## NetLabel – CIPSO/CALIPSO >> +## Labeled Networking: NetLabel – CIPSO/CALIPSO >> >> To allow MLS [**security levels**](mls_mcs.md#security-levels) to be passed >> over a network between MLS >> @@ -288,7 +324,7 @@ section, plus the standard Fedora 'targeted' policy for the tests. >> >> <br> >> >> -## Labeled IPSec >> +## Labeled Networking: Labeled IPSec >> >> Labeled IPSec has been built into the standard GNU / Linux IPSec >> services as described in the >> @@ -451,6 +487,98 @@ The *selinux-testsuite tools/nfs.sh* tests labeled NFS using various labels. >> >> <br> >> >> +## Access Control for Network Interfaces >> + >> +SELinux domains can be restricted to use only specific network >> +interfaces. TE rules must define the interface types and then allow a >> +domain to `egress` in class `netif` for the defined interface types: >> + >> +``` >> +require { >> + attribute netif_type; >> +} >> + >> +type external_if_t, netif_type; >> +type loopback_if_t, netif_type; >> + >> +allow my_server_t external_if_t:netif egress; >> +allow my_server_t loopback_if_t:netif egress; >> +``` >> + >> +The interfaces must also be labeled with ***semanage**(8)* (or by >> +using `netifcon` statements in the policy): >> +``` >> +semanage interface -a -t loopback_if_t -r s0 lo >> +semanage interface -a -t external_if_t -r s0 eth0 >> +``` >> + >> +Note that reception can't be controlled with `netif` class. > > Probably nothing but I did not understand this: Is reception not > controlled with the netif ingress permission? I'm no expert, but the only netif ingress rules which I have are rather generic: allow internet_peer_t external_if_t:netif ingress; allow link_local_peer_t external_if_t:netif ingress; allow localnet_peer_t external_if_t:netif ingress; allow multicast_peer_t external_if_t:netif ingress; allow loopback_peer_t loopback_if_t:netif ingress; `peer` types above have been added with NetLabel rules like: netlabelctl unlbl add default address:2000::/3 label:system_u:object_r:internet_peer_t:s0 Perhaps this would be better: Note that reception for application domains can't be controlled with `netif` class. > >> + >> +<br> >> + >> +## Access Control for Network Nodes >> + >> +Domains can be restricted by SELinux to access and bind sockets to >> +only dedicated network nodes (in practice, IP addresses). >> + >> +The node types must be defined and then the node types can be used for >> +TE rules as target context. TE rules to allow a domain to `sendto` for >> +class `node` and to `node_bind` (for incoming connections) for class >> +`tcp_socket`: >> + >> +``` >> +require { >> + attribute node_type; >> +} >> + >> +type loopback_node_t, node_type; >> +type internet_node_t, node_type; >> +type link_local_node_t, node_type; >> +type multicast_node_t, node_type; >> + >> +allow my_server_t loopback_node_t:node sendto; >> +allow my_server_t loopback_node_t:tcp_socket node_bind; >> +allow my_server_t internet_node_t:node sendto; >> +``` >> + >> +After the types have been defined, corresponding node rules can be >> +added with `semanage` (or `nodecon` statements): >> +``` >> +semanage node -a -M /128 -p ipv6 -t loopback_node_t -r s0 ::1 >> +semanage node -a -M /3 -p ipv6 -t internet_node_t -r s0 2000:: >> +semanage node -a -M /8 -p ipv6 -t link_local_node_t -r s0 fe00:: >> +semanage node -a -M /8 -p ipv6 -t multicast_node_t -r s0 ff00:: >> +``` >> + >> +<br> >> + >> +## Access Control for Network Ports >> + >> +SELinux policy can also control access to ports used by various >> +networking protocols such as TCP, UDP, SCTP and DCCP. TE rules must >> +define the port types and then allow a domain to `name_connect` >> +(outgoing) or `name_bind` (incoming) in class `tcp_socket` (or >> +`udp_socket` etc) for the defined port types: >> + >> +``` >> +require { >> + attribute port_type; >> +} >> + >> +type my_server_port_t, port_type; >> + >> +allow my_server_t my_server_port_t:tcp_socket name_connect; >> +allow my_server_t my_server_port_t:tcp_socket name_bind; >> +``` >> + >> +The ports must also be labeled with `semanage` (or `portcon` >> +statements): >> +``` >> +semanage port -a -t my_server_port_t -p tcp -r s0 12345 >> +``` >> + >> +<br> >> + >> <section class="footnotes"> >> <ol> >> <li id="fnn1"><p>For example, an ftp session where the server is >> listening on a specific port (the destination port) but the client >> will be assigned a random source port. The CONNSECMARK will ensure >> that all packets for the ftp session are marked with the same label.<a >> href="#fnnet1" class="footnote-back">↩</a></p></li> > ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] Improve network_support.md 2020-07-27 15:21 ` Topi Miettinen @ 2020-07-27 15:39 ` Dominick Grift 2020-07-27 20:20 ` Topi Miettinen 2020-07-28 2:57 ` Paul Moore 0 siblings, 2 replies; 14+ messages in thread From: Dominick Grift @ 2020-07-27 15:39 UTC (permalink / raw) To: Topi Miettinen; +Cc: selinux Topi Miettinen <toiwoton@gmail.com> writes: > On 27.7.2020 16.57, Dominick Grift wrote: >> Topi Miettinen <toiwoton@gmail.com> writes: >> >>> List all access control methods available for networking and provide >>> examples for each. >>> >>> Signed-off-by: Topi Miettinen <toiwoton@gmail.com> >>> >>> --- >>> v2: address comments from Richard Haines >>> --- >>> src/network_statements.md | 2 +- >>> src/network_support.md | 170 +++++++++++++++++++++++++++++++++----- >>> 2 files changed, 150 insertions(+), 22 deletions(-) >>> >>> diff --git a/src/network_statements.md b/src/network_statements.md >>> index ef1c873..357c3b1 100644 >>> --- a/src/network_statements.md >>> +++ b/src/network_statements.md >>> @@ -102,7 +102,7 @@ the interface to a security context. >>> <tr> >>> <td><code>packet_context</code></td> >>> <td><p>The security context allocated packets. Note that these are defined but unused.</p> >>> -<p>The iptables(8)/nftables(8) <a href="network_support.md#secmark">SECMARK services</a> should be used to label packets.</p></td> >>> +<p>The iptables(8)/nftables(8) <a >>> href="network_support.md#internal-labeling-secmark">SECMARK >>> services</a> should be used to label packets.</p></td> >>> </tr> >>> </tbody> >>> </table> >>> diff --git a/src/network_support.md b/src/network_support.md >>> index 309e863..6f9896b 100644 >>> --- a/src/network_support.md >>> +++ b/src/network_support.md >>> @@ -1,20 +1,17 @@ >>> # SELinux Networking Support >>> -SELinux supports the following types of network labeling: >>> +SELinux supports several methods for access control of networks. These are >>> -**Internal labeling** - This is where network objects are >>> labeled and >>> -managed internally within a single machine (i.e. their labels are not >>> -transmitted as part of the session with remote systems). There are two >>> -types supported: SECMARK and NetLabel. There was a service known as >>> -'compat_net' controls, however that was removed in kernel 2.6.30. >>> +* Packet labeling: class `packet` >>> +* Peer labeling: class `peer` >>> +* Interface control: class `netif` >>> +* Network node control: class `node` >>> +* TCP/UDP/SCTP/DCCP ports: class `port` >>> -**Labeled Networking** - This is where labels are passed to/from >>> remote >>> -systems where they can be interpreted and a MAC policy enforced on each >>> -system. There are three types supported: Labeled IPSec, CIPSO >>> -(Commercial IP Security Option) and CALIPSO (Common Architecture Label >>> -IPv6 Security Option) >>> +Networking support is not enabled by default. It can be enabled either >>> +the policy capabilities or by loading SECMARK rules. >>> -There are two policy capability options that can be set within >>> policy >>> +There are three policy capability options that can be set within policy >>> using the `policycap` statement that affect networking configuration: >>> **`network_peer_controls`** - This is always enabled in the >>> latest >>> @@ -37,8 +34,22 @@ The policy capability settings are available in userspace via the >>> SELinux filesystem as shown in the >>> [**SELinux Filesystem**](lsm_selinux.md#selinux-filesystem) section. >>> -To support peer labeling, CIPSO and CALIPSO the NetLabel tools >>> need to >>> -be installed: >>> +SELinux supports the following types of network labeling: >>> + >>> +**Internal labeling** - This is where network objects are labeled and >>> +managed internally within a single machine (i.e. their labels are not >>> +transmitted as part of the session with remote systems). There are two >>> +types supported: SECMARK and NetLabel. There was a service known as >>> +'compat_net' controls, however that was removed in kernel 2.6.30. >>> + >>> +**Labeled Networking** - This is where labels are passed to/from remote >>> +systems where they can be interpreted and a MAC policy enforced on each >>> +system. There are three types supported: Labeled IPSec, CIPSO >>> +(Commercial IP Security Option) and CALIPSO (Common Architecture Label >>> +IPv6 Security Option). >>> + >>> +To support peer labeling with CIPSO and CALIPSO or fallback labeling, >>> +the NetLabel tools need to be installed: >>> `dnf install netlabel_tools` >>> @@ -52,8 +63,12 @@ OpenSwan but is now distributed as LibreSwan: >>> `dnf install libreswan` >>> It is important to note that the kernel must be configured to >>> support >>> -these services. The Fedora kernels are configured to handle all the above >>> -services. >>> +these services (`CONFIG_NETLABEL`, `CONFIG_NETWORK_SECMARK`, >>> +`CONFIG_NF_CONNTRACK_SECMARK`, >>> +`CONFIG_NETFILTER_XT_TARGET_CONNSECMARK`, >>> +`CONFIG_NETFILTER_XT_TARGET_SECMARK`, `CONFIG_IP_NF_SECURITY`, >>> +`CONFIG_IP6_NF_SECURITY`). At least Fedora and Debian kernels are >>> +configured to handle all the above services. >>> The Linux networking package *iproute* has an SELinux aware >>> socket >>> statistics command ***ss**(8)* that will show the SELinux context of >>> @@ -65,7 +80,7 @@ to achieve this). >>> <br> >>> -## SECMARK >>> +## Internal labeling: SECMARK >>> SECMARK makes use of the standard kernel NetFilter framework >>> that >>> underpins the GNU / Linux IP networking sub-system. NetFilter services >>> @@ -73,7 +88,7 @@ automatically inspects all incoming and outgoing packets and can place >>> controls on interfaces, IP addresses (nodes) and ports with the added >>> advantage of connection tracking. The SECMARK security extensions allow >>> security contexts to be added to packets (SECMARK) or sessions >>> -(CONNSECMARK). >>> +(CONNSECMARK), belonging to object class of `packet`. >>> The NetFilter framework inspects and tag packets with labels as >>> defined >>> within ***iptables**(8)* (also 'nftables' ***nft**(8)* from version 9.3 with >>> @@ -172,6 +187,16 @@ table ip6 security { >>> } >>> ``` >>> +Before the SECMARK rules can be loaded, TE rules must be added >>> to >>> +define the types, and also allow domains to send and/or receive >>> +objects of `packet` class: >>> + >>> +``` >>> +type test_server_packet_t, packet_type; >>> + >>> +allow my_server_t test_server_packet_t:packet { send recv }; >>> +``` >>> + >>> The following articles explain the SECMARK service: >>> - [*Transitioning to Secmark*](http://paulmoore.livejournal.com/4281.html) >>> - [New secmark-based network controls for SELinux](http://james-morris.livejournal.com/11010.html) >>> @@ -179,7 +204,7 @@ The following articles explain the SECMARK service: >>> <br> >>> -## NetLabel - Fallback Peer Labeling >>> +## Internal labeling: NetLabel - Fallback Peer Labeling >>> Fallback labeling can optionally be implemented on a system if >>> the >>> Labeled IPSec or CIPSO/CALIPSO is not being used (hence 'fallback >>> @@ -217,9 +242,20 @@ netlabelctl -p map list >>> Note that the security contexts must be valid in the policy otherwise the >>> commands will fail. >>> +Before the NetLabel rules can be loaded, TE rules must be added >>> to >>> +define the types. Then the rules can allow domains to receive data >>> +from objects of `peer` class: >>> + >>> +``` >>> +type netlabel_sctp_peer_t; >>> + >>> +allow my_server_t netlabel_sctp_peer_t:peer recv; >>> +``` >>> +Note that sending can't be controlled with `peer` class. >>> + >>> <br> >>> -## NetLabel – CIPSO/CALIPSO >>> +## Labeled Networking: NetLabel – CIPSO/CALIPSO >>> To allow MLS [**security levels**](mls_mcs.md#security-levels) >>> to be passed >>> over a network between MLS >>> @@ -288,7 +324,7 @@ section, plus the standard Fedora 'targeted' policy for the tests. >>> <br> >>> -## Labeled IPSec >>> +## Labeled Networking: Labeled IPSec >>> Labeled IPSec has been built into the standard GNU / Linux >>> IPSec >>> services as described in the >>> @@ -451,6 +487,98 @@ The *selinux-testsuite tools/nfs.sh* tests labeled NFS using various labels. >>> <br> >>> +## Access Control for Network Interfaces >>> + >>> +SELinux domains can be restricted to use only specific network >>> +interfaces. TE rules must define the interface types and then allow a >>> +domain to `egress` in class `netif` for the defined interface types: >>> + >>> +``` >>> +require { >>> + attribute netif_type; >>> +} >>> + >>> +type external_if_t, netif_type; >>> +type loopback_if_t, netif_type; >>> + >>> +allow my_server_t external_if_t:netif egress; >>> +allow my_server_t loopback_if_t:netif egress; >>> +``` >>> + >>> +The interfaces must also be labeled with ***semanage**(8)* (or by >>> +using `netifcon` statements in the policy): >>> +``` >>> +semanage interface -a -t loopback_if_t -r s0 lo >>> +semanage interface -a -t external_if_t -r s0 eth0 >>> +``` >>> + >>> +Note that reception can't be controlled with `netif` class. >> >> Probably nothing but I did not understand this: Is reception not >> controlled with the netif ingress permission? > > I'm no expert, but the only netif ingress rules which I have are > rather generic: > > allow internet_peer_t external_if_t:netif ingress; > allow link_local_peer_t external_if_t:netif ingress; > allow localnet_peer_t external_if_t:netif ingress; > allow multicast_peer_t external_if_t:netif ingress; > allow loopback_peer_t loopback_if_t:netif ingress; > > `peer` types above have been added with NetLabel rules like: > > netlabelctl unlbl add default address:2000::/3 > label:system_u:object_r:internet_peer_t:s0 > > Perhaps this would be better: > > Note that reception for application domains can't be controlled with > `netif` class. > I look at it this way: peers *are* processes, You seem to essentually use peers as nodes above. It would become more clear if you would try this out with labeled ipsec. A peer, in my experience is kind of the same as an association in the labeled ipsec scenario (the classes actually overlap). That is also why you should probably disable the netlabel_peer_controls polcap if you use labeled ipsec. >> >>> + >>> +<br> >>> + >>> +## Access Control for Network Nodes >>> + >>> +Domains can be restricted by SELinux to access and bind sockets to >>> +only dedicated network nodes (in practice, IP addresses). >>> + >>> +The node types must be defined and then the node types can be used for >>> +TE rules as target context. TE rules to allow a domain to `sendto` for >>> +class `node` and to `node_bind` (for incoming connections) for class >>> +`tcp_socket`: >>> + >>> +``` >>> +require { >>> + attribute node_type; >>> +} >>> + >>> +type loopback_node_t, node_type; >>> +type internet_node_t, node_type; >>> +type link_local_node_t, node_type; >>> +type multicast_node_t, node_type; >>> + >>> +allow my_server_t loopback_node_t:node sendto; >>> +allow my_server_t loopback_node_t:tcp_socket node_bind; >>> +allow my_server_t internet_node_t:node sendto; >>> +``` >>> + >>> +After the types have been defined, corresponding node rules can be >>> +added with `semanage` (or `nodecon` statements): >>> +``` >>> +semanage node -a -M /128 -p ipv6 -t loopback_node_t -r s0 ::1 >>> +semanage node -a -M /3 -p ipv6 -t internet_node_t -r s0 2000:: >>> +semanage node -a -M /8 -p ipv6 -t link_local_node_t -r s0 fe00:: >>> +semanage node -a -M /8 -p ipv6 -t multicast_node_t -r s0 ff00:: >>> +``` >>> + >>> +<br> >>> + >>> +## Access Control for Network Ports >>> + >>> +SELinux policy can also control access to ports used by various >>> +networking protocols such as TCP, UDP, SCTP and DCCP. TE rules must >>> +define the port types and then allow a domain to `name_connect` >>> +(outgoing) or `name_bind` (incoming) in class `tcp_socket` (or >>> +`udp_socket` etc) for the defined port types: >>> + >>> +``` >>> +require { >>> + attribute port_type; >>> +} >>> + >>> +type my_server_port_t, port_type; >>> + >>> +allow my_server_t my_server_port_t:tcp_socket name_connect; >>> +allow my_server_t my_server_port_t:tcp_socket name_bind; >>> +``` >>> + >>> +The ports must also be labeled with `semanage` (or `portcon` >>> +statements): >>> +``` >>> +semanage port -a -t my_server_port_t -p tcp -r s0 12345 >>> +``` >>> + >>> +<br> >>> + >>> <section class="footnotes"> >>> <ol> >>> <li id="fnn1"><p>For example, an ftp session where the server is >>> listening on a specific port (the destination port) but the client >>> will be assigned a random source port. The CONNSECMARK will ensure >>> that all packets for the ftp session are marked with the same label.<a >>> href="#fnnet1" class="footnote-back">↩</a></p></li> >> > -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] Improve network_support.md 2020-07-27 15:39 ` Dominick Grift @ 2020-07-27 20:20 ` Topi Miettinen 2020-07-27 20:36 ` Dominick Grift 2020-07-28 2:57 ` Paul Moore 1 sibling, 1 reply; 14+ messages in thread From: Topi Miettinen @ 2020-07-27 20:20 UTC (permalink / raw) To: Dominick Grift; +Cc: selinux On 27.7.2020 18.39, Dominick Grift wrote: > Topi Miettinen <toiwoton@gmail.com> writes: > >> On 27.7.2020 16.57, Dominick Grift wrote: >>> Topi Miettinen <toiwoton@gmail.com> writes: >>> >>>> List all access control methods available for networking and provide >>>> examples for each. >>>> >>>> Signed-off-by: Topi Miettinen <toiwoton@gmail.com> >>>> >>>> --- >>>> v2: address comments from Richard Haines >>>> --- >>>> src/network_statements.md | 2 +- >>>> src/network_support.md | 170 +++++++++++++++++++++++++++++++++----- >>>> 2 files changed, 150 insertions(+), 22 deletions(-) >>>> >>>> diff --git a/src/network_statements.md b/src/network_statements.md >>>> index ef1c873..357c3b1 100644 >>>> --- a/src/network_statements.md >>>> +++ b/src/network_statements.md >>>> @@ -102,7 +102,7 @@ the interface to a security context. >>>> <tr> >>>> <td><code>packet_context</code></td> >>>> <td><p>The security context allocated packets. Note that these are defined but unused.</p> >>>> -<p>The iptables(8)/nftables(8) <a href="network_support.md#secmark">SECMARK services</a> should be used to label packets.</p></td> >>>> +<p>The iptables(8)/nftables(8) <a >>>> href="network_support.md#internal-labeling-secmark">SECMARK >>>> services</a> should be used to label packets.</p></td> >>>> </tr> >>>> </tbody> >>>> </table> >>>> diff --git a/src/network_support.md b/src/network_support.md >>>> index 309e863..6f9896b 100644 >>>> --- a/src/network_support.md >>>> +++ b/src/network_support.md >>>> @@ -1,20 +1,17 @@ >>>> # SELinux Networking Support >>>> -SELinux supports the following types of network labeling: >>>> +SELinux supports several methods for access control of networks. These are >>>> -**Internal labeling** - This is where network objects are >>>> labeled and >>>> -managed internally within a single machine (i.e. their labels are not >>>> -transmitted as part of the session with remote systems). There are two >>>> -types supported: SECMARK and NetLabel. There was a service known as >>>> -'compat_net' controls, however that was removed in kernel 2.6.30. >>>> +* Packet labeling: class `packet` >>>> +* Peer labeling: class `peer` >>>> +* Interface control: class `netif` >>>> +* Network node control: class `node` >>>> +* TCP/UDP/SCTP/DCCP ports: class `port` >>>> -**Labeled Networking** - This is where labels are passed to/from >>>> remote >>>> -systems where they can be interpreted and a MAC policy enforced on each >>>> -system. There are three types supported: Labeled IPSec, CIPSO >>>> -(Commercial IP Security Option) and CALIPSO (Common Architecture Label >>>> -IPv6 Security Option) >>>> +Networking support is not enabled by default. It can be enabled either >>>> +the policy capabilities or by loading SECMARK rules. >>>> -There are two policy capability options that can be set within >>>> policy >>>> +There are three policy capability options that can be set within policy >>>> using the `policycap` statement that affect networking configuration: >>>> **`network_peer_controls`** - This is always enabled in the >>>> latest >>>> @@ -37,8 +34,22 @@ The policy capability settings are available in userspace via the >>>> SELinux filesystem as shown in the >>>> [**SELinux Filesystem**](lsm_selinux.md#selinux-filesystem) section. >>>> -To support peer labeling, CIPSO and CALIPSO the NetLabel tools >>>> need to >>>> -be installed: >>>> +SELinux supports the following types of network labeling: >>>> + >>>> +**Internal labeling** - This is where network objects are labeled and >>>> +managed internally within a single machine (i.e. their labels are not >>>> +transmitted as part of the session with remote systems). There are two >>>> +types supported: SECMARK and NetLabel. There was a service known as >>>> +'compat_net' controls, however that was removed in kernel 2.6.30. >>>> + >>>> +**Labeled Networking** - This is where labels are passed to/from remote >>>> +systems where they can be interpreted and a MAC policy enforced on each >>>> +system. There are three types supported: Labeled IPSec, CIPSO >>>> +(Commercial IP Security Option) and CALIPSO (Common Architecture Label >>>> +IPv6 Security Option). >>>> + >>>> +To support peer labeling with CIPSO and CALIPSO or fallback labeling, >>>> +the NetLabel tools need to be installed: >>>> `dnf install netlabel_tools` >>>> @@ -52,8 +63,12 @@ OpenSwan but is now distributed as LibreSwan: >>>> `dnf install libreswan` >>>> It is important to note that the kernel must be configured to >>>> support >>>> -these services. The Fedora kernels are configured to handle all the above >>>> -services. >>>> +these services (`CONFIG_NETLABEL`, `CONFIG_NETWORK_SECMARK`, >>>> +`CONFIG_NF_CONNTRACK_SECMARK`, >>>> +`CONFIG_NETFILTER_XT_TARGET_CONNSECMARK`, >>>> +`CONFIG_NETFILTER_XT_TARGET_SECMARK`, `CONFIG_IP_NF_SECURITY`, >>>> +`CONFIG_IP6_NF_SECURITY`). At least Fedora and Debian kernels are >>>> +configured to handle all the above services. >>>> The Linux networking package *iproute* has an SELinux aware >>>> socket >>>> statistics command ***ss**(8)* that will show the SELinux context of >>>> @@ -65,7 +80,7 @@ to achieve this). >>>> <br> >>>> -## SECMARK >>>> +## Internal labeling: SECMARK >>>> SECMARK makes use of the standard kernel NetFilter framework >>>> that >>>> underpins the GNU / Linux IP networking sub-system. NetFilter services >>>> @@ -73,7 +88,7 @@ automatically inspects all incoming and outgoing packets and can place >>>> controls on interfaces, IP addresses (nodes) and ports with the added >>>> advantage of connection tracking. The SECMARK security extensions allow >>>> security contexts to be added to packets (SECMARK) or sessions >>>> -(CONNSECMARK). >>>> +(CONNSECMARK), belonging to object class of `packet`. >>>> The NetFilter framework inspects and tag packets with labels as >>>> defined >>>> within ***iptables**(8)* (also 'nftables' ***nft**(8)* from version 9.3 with >>>> @@ -172,6 +187,16 @@ table ip6 security { >>>> } >>>> ``` >>>> +Before the SECMARK rules can be loaded, TE rules must be added >>>> to >>>> +define the types, and also allow domains to send and/or receive >>>> +objects of `packet` class: >>>> + >>>> +``` >>>> +type test_server_packet_t, packet_type; >>>> + >>>> +allow my_server_t test_server_packet_t:packet { send recv }; >>>> +``` >>>> + >>>> The following articles explain the SECMARK service: >>>> - [*Transitioning to Secmark*](http://paulmoore.livejournal.com/4281.html) >>>> - [New secmark-based network controls for SELinux](http://james-morris.livejournal.com/11010.html) >>>> @@ -179,7 +204,7 @@ The following articles explain the SECMARK service: >>>> <br> >>>> -## NetLabel - Fallback Peer Labeling >>>> +## Internal labeling: NetLabel - Fallback Peer Labeling >>>> Fallback labeling can optionally be implemented on a system if >>>> the >>>> Labeled IPSec or CIPSO/CALIPSO is not being used (hence 'fallback >>>> @@ -217,9 +242,20 @@ netlabelctl -p map list >>>> Note that the security contexts must be valid in the policy otherwise the >>>> commands will fail. >>>> +Before the NetLabel rules can be loaded, TE rules must be added >>>> to >>>> +define the types. Then the rules can allow domains to receive data >>>> +from objects of `peer` class: >>>> + >>>> +``` >>>> +type netlabel_sctp_peer_t; >>>> + >>>> +allow my_server_t netlabel_sctp_peer_t:peer recv; >>>> +``` >>>> +Note that sending can't be controlled with `peer` class. >>>> + >>>> <br> >>>> -## NetLabel – CIPSO/CALIPSO >>>> +## Labeled Networking: NetLabel – CIPSO/CALIPSO >>>> To allow MLS [**security levels**](mls_mcs.md#security-levels) >>>> to be passed >>>> over a network between MLS >>>> @@ -288,7 +324,7 @@ section, plus the standard Fedora 'targeted' policy for the tests. >>>> <br> >>>> -## Labeled IPSec >>>> +## Labeled Networking: Labeled IPSec >>>> Labeled IPSec has been built into the standard GNU / Linux >>>> IPSec >>>> services as described in the >>>> @@ -451,6 +487,98 @@ The *selinux-testsuite tools/nfs.sh* tests labeled NFS using various labels. >>>> <br> >>>> +## Access Control for Network Interfaces >>>> + >>>> +SELinux domains can be restricted to use only specific network >>>> +interfaces. TE rules must define the interface types and then allow a >>>> +domain to `egress` in class `netif` for the defined interface types: >>>> + >>>> +``` >>>> +require { >>>> + attribute netif_type; >>>> +} >>>> + >>>> +type external_if_t, netif_type; >>>> +type loopback_if_t, netif_type; >>>> + >>>> +allow my_server_t external_if_t:netif egress; >>>> +allow my_server_t loopback_if_t:netif egress; >>>> +``` >>>> + >>>> +The interfaces must also be labeled with ***semanage**(8)* (or by >>>> +using `netifcon` statements in the policy): >>>> +``` >>>> +semanage interface -a -t loopback_if_t -r s0 lo >>>> +semanage interface -a -t external_if_t -r s0 eth0 >>>> +``` >>>> + >>>> +Note that reception can't be controlled with `netif` class. >>> >>> Probably nothing but I did not understand this: Is reception not >>> controlled with the netif ingress permission? >> >> I'm no expert, but the only netif ingress rules which I have are >> rather generic: >> >> allow internet_peer_t external_if_t:netif ingress; >> allow link_local_peer_t external_if_t:netif ingress; >> allow localnet_peer_t external_if_t:netif ingress; >> allow multicast_peer_t external_if_t:netif ingress; >> allow loopback_peer_t loopback_if_t:netif ingress; >> >> `peer` types above have been added with NetLabel rules like: >> >> netlabelctl unlbl add default address:2000::/3 >> label:system_u:object_r:internet_peer_t:s0 >> >> Perhaps this would be better: >> >> Note that reception for application domains can't be controlled with >> `netif` class. >> > > I look at it this way: peers *are* processes, You seem to > essentually use peers as nodes above. I think both are true. When labeled IPSec is used, it's probably (I haven't tried it yet) possible to identify peers at process level. Without IPSec it's only possible to get peer labeling with NetLabel rules, which only allow IP address (host or even networks of hosts) level accuracy. > It would become more clear if you would try this out with labeled ipsec. > A peer, in my experience is kind of the same as an association in the > labeled ipsec scenario (the classes actually overlap). That is also why > you should probably disable the netlabel_peer_controls polcap if you use > labeled ipsec. Right, but I think my setup could be useful for cases where labeled IPSec is not used. Do you see AVC denials etc. for netif *ingress* for process level domains with labeled IPSec? -Topi >>> >>>> + >>>> +<br> >>>> + >>>> +## Access Control for Network Nodes >>>> + >>>> +Domains can be restricted by SELinux to access and bind sockets to >>>> +only dedicated network nodes (in practice, IP addresses). >>>> + >>>> +The node types must be defined and then the node types can be used for >>>> +TE rules as target context. TE rules to allow a domain to `sendto` for >>>> +class `node` and to `node_bind` (for incoming connections) for class >>>> +`tcp_socket`: >>>> + >>>> +``` >>>> +require { >>>> + attribute node_type; >>>> +} >>>> + >>>> +type loopback_node_t, node_type; >>>> +type internet_node_t, node_type; >>>> +type link_local_node_t, node_type; >>>> +type multicast_node_t, node_type; >>>> + >>>> +allow my_server_t loopback_node_t:node sendto; >>>> +allow my_server_t loopback_node_t:tcp_socket node_bind; >>>> +allow my_server_t internet_node_t:node sendto; >>>> +``` >>>> + >>>> +After the types have been defined, corresponding node rules can be >>>> +added with `semanage` (or `nodecon` statements): >>>> +``` >>>> +semanage node -a -M /128 -p ipv6 -t loopback_node_t -r s0 ::1 >>>> +semanage node -a -M /3 -p ipv6 -t internet_node_t -r s0 2000:: >>>> +semanage node -a -M /8 -p ipv6 -t link_local_node_t -r s0 fe00:: >>>> +semanage node -a -M /8 -p ipv6 -t multicast_node_t -r s0 ff00:: >>>> +``` >>>> + >>>> +<br> >>>> + >>>> +## Access Control for Network Ports >>>> + >>>> +SELinux policy can also control access to ports used by various >>>> +networking protocols such as TCP, UDP, SCTP and DCCP. TE rules must >>>> +define the port types and then allow a domain to `name_connect` >>>> +(outgoing) or `name_bind` (incoming) in class `tcp_socket` (or >>>> +`udp_socket` etc) for the defined port types: >>>> + >>>> +``` >>>> +require { >>>> + attribute port_type; >>>> +} >>>> + >>>> +type my_server_port_t, port_type; >>>> + >>>> +allow my_server_t my_server_port_t:tcp_socket name_connect; >>>> +allow my_server_t my_server_port_t:tcp_socket name_bind; >>>> +``` >>>> + >>>> +The ports must also be labeled with `semanage` (or `portcon` >>>> +statements): >>>> +``` >>>> +semanage port -a -t my_server_port_t -p tcp -r s0 12345 >>>> +``` >>>> + >>>> +<br> >>>> + >>>> <section class="footnotes"> >>>> <ol> >>>> <li id="fnn1"><p>For example, an ftp session where the server is >>>> listening on a specific port (the destination port) but the client >>>> will be assigned a random source port. The CONNSECMARK will ensure >>>> that all packets for the ftp session are marked with the same label.<a >>>> href="#fnnet1" class="footnote-back">↩</a></p></li> >>> >> > ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] Improve network_support.md 2020-07-27 20:20 ` Topi Miettinen @ 2020-07-27 20:36 ` Dominick Grift 2020-07-27 21:44 ` Topi Miettinen 2020-07-28 3:08 ` Paul Moore 0 siblings, 2 replies; 14+ messages in thread From: Dominick Grift @ 2020-07-27 20:36 UTC (permalink / raw) To: Topi Miettinen; +Cc: selinux Topi Miettinen <toiwoton@gmail.com> writes: > On 27.7.2020 18.39, Dominick Grift wrote: >> Topi Miettinen <toiwoton@gmail.com> writes: >> >>> On 27.7.2020 16.57, Dominick Grift wrote: >>>> Topi Miettinen <toiwoton@gmail.com> writes: >>>> >>>>> List all access control methods available for networking and provide >>>>> examples for each. >>>>> >>>>> Signed-off-by: Topi Miettinen <toiwoton@gmail.com> >>>>> >>>>> --- >>>>> v2: address comments from Richard Haines >>>>> --- >>>>> src/network_statements.md | 2 +- >>>>> src/network_support.md | 170 +++++++++++++++++++++++++++++++++----- >>>>> 2 files changed, 150 insertions(+), 22 deletions(-) >>>>> >>>>> diff --git a/src/network_statements.md b/src/network_statements.md >>>>> index ef1c873..357c3b1 100644 >>>>> --- a/src/network_statements.md >>>>> +++ b/src/network_statements.md >>>>> @@ -102,7 +102,7 @@ the interface to a security context. >>>>> <tr> >>>>> <td><code>packet_context</code></td> >>>>> <td><p>The security context allocated packets. Note that these are defined but unused.</p> >>>>> -<p>The iptables(8)/nftables(8) <a href="network_support.md#secmark">SECMARK services</a> should be used to label packets.</p></td> >>>>> +<p>The iptables(8)/nftables(8) <a >>>>> href="network_support.md#internal-labeling-secmark">SECMARK >>>>> services</a> should be used to label packets.</p></td> >>>>> </tr> >>>>> </tbody> >>>>> </table> >>>>> diff --git a/src/network_support.md b/src/network_support.md >>>>> index 309e863..6f9896b 100644 >>>>> --- a/src/network_support.md >>>>> +++ b/src/network_support.md >>>>> @@ -1,20 +1,17 @@ >>>>> # SELinux Networking Support >>>>> -SELinux supports the following types of network labeling: >>>>> +SELinux supports several methods for access control of networks. These are >>>>> -**Internal labeling** - This is where network objects are >>>>> labeled and >>>>> -managed internally within a single machine (i.e. their labels are not >>>>> -transmitted as part of the session with remote systems). There are two >>>>> -types supported: SECMARK and NetLabel. There was a service known as >>>>> -'compat_net' controls, however that was removed in kernel 2.6.30. >>>>> +* Packet labeling: class `packet` >>>>> +* Peer labeling: class `peer` >>>>> +* Interface control: class `netif` >>>>> +* Network node control: class `node` >>>>> +* TCP/UDP/SCTP/DCCP ports: class `port` >>>>> -**Labeled Networking** - This is where labels are passed to/from >>>>> remote >>>>> -systems where they can be interpreted and a MAC policy enforced on each >>>>> -system. There are three types supported: Labeled IPSec, CIPSO >>>>> -(Commercial IP Security Option) and CALIPSO (Common Architecture Label >>>>> -IPv6 Security Option) >>>>> +Networking support is not enabled by default. It can be enabled either >>>>> +the policy capabilities or by loading SECMARK rules. >>>>> -There are two policy capability options that can be set within >>>>> policy >>>>> +There are three policy capability options that can be set within policy >>>>> using the `policycap` statement that affect networking configuration: >>>>> **`network_peer_controls`** - This is always enabled in the >>>>> latest >>>>> @@ -37,8 +34,22 @@ The policy capability settings are available in userspace via the >>>>> SELinux filesystem as shown in the >>>>> [**SELinux Filesystem**](lsm_selinux.md#selinux-filesystem) section. >>>>> -To support peer labeling, CIPSO and CALIPSO the NetLabel tools >>>>> need to >>>>> -be installed: >>>>> +SELinux supports the following types of network labeling: >>>>> + >>>>> +**Internal labeling** - This is where network objects are labeled and >>>>> +managed internally within a single machine (i.e. their labels are not >>>>> +transmitted as part of the session with remote systems). There are two >>>>> +types supported: SECMARK and NetLabel. There was a service known as >>>>> +'compat_net' controls, however that was removed in kernel 2.6.30. >>>>> + >>>>> +**Labeled Networking** - This is where labels are passed to/from remote >>>>> +systems where they can be interpreted and a MAC policy enforced on each >>>>> +system. There are three types supported: Labeled IPSec, CIPSO >>>>> +(Commercial IP Security Option) and CALIPSO (Common Architecture Label >>>>> +IPv6 Security Option). >>>>> + >>>>> +To support peer labeling with CIPSO and CALIPSO or fallback labeling, >>>>> +the NetLabel tools need to be installed: >>>>> `dnf install netlabel_tools` >>>>> @@ -52,8 +63,12 @@ OpenSwan but is now distributed as LibreSwan: >>>>> `dnf install libreswan` >>>>> It is important to note that the kernel must be configured to >>>>> support >>>>> -these services. The Fedora kernels are configured to handle all the above >>>>> -services. >>>>> +these services (`CONFIG_NETLABEL`, `CONFIG_NETWORK_SECMARK`, >>>>> +`CONFIG_NF_CONNTRACK_SECMARK`, >>>>> +`CONFIG_NETFILTER_XT_TARGET_CONNSECMARK`, >>>>> +`CONFIG_NETFILTER_XT_TARGET_SECMARK`, `CONFIG_IP_NF_SECURITY`, >>>>> +`CONFIG_IP6_NF_SECURITY`). At least Fedora and Debian kernels are >>>>> +configured to handle all the above services. >>>>> The Linux networking package *iproute* has an SELinux aware >>>>> socket >>>>> statistics command ***ss**(8)* that will show the SELinux context of >>>>> @@ -65,7 +80,7 @@ to achieve this). >>>>> <br> >>>>> -## SECMARK >>>>> +## Internal labeling: SECMARK >>>>> SECMARK makes use of the standard kernel NetFilter framework >>>>> that >>>>> underpins the GNU / Linux IP networking sub-system. NetFilter services >>>>> @@ -73,7 +88,7 @@ automatically inspects all incoming and outgoing packets and can place >>>>> controls on interfaces, IP addresses (nodes) and ports with the added >>>>> advantage of connection tracking. The SECMARK security extensions allow >>>>> security contexts to be added to packets (SECMARK) or sessions >>>>> -(CONNSECMARK). >>>>> +(CONNSECMARK), belonging to object class of `packet`. >>>>> The NetFilter framework inspects and tag packets with labels as >>>>> defined >>>>> within ***iptables**(8)* (also 'nftables' ***nft**(8)* from version 9.3 with >>>>> @@ -172,6 +187,16 @@ table ip6 security { >>>>> } >>>>> ``` >>>>> +Before the SECMARK rules can be loaded, TE rules must be added >>>>> to >>>>> +define the types, and also allow domains to send and/or receive >>>>> +objects of `packet` class: >>>>> + >>>>> +``` >>>>> +type test_server_packet_t, packet_type; >>>>> + >>>>> +allow my_server_t test_server_packet_t:packet { send recv }; >>>>> +``` >>>>> + >>>>> The following articles explain the SECMARK service: >>>>> - [*Transitioning to Secmark*](http://paulmoore.livejournal.com/4281.html) >>>>> - [New secmark-based network controls for SELinux](http://james-morris.livejournal.com/11010.html) >>>>> @@ -179,7 +204,7 @@ The following articles explain the SECMARK service: >>>>> <br> >>>>> -## NetLabel - Fallback Peer Labeling >>>>> +## Internal labeling: NetLabel - Fallback Peer Labeling >>>>> Fallback labeling can optionally be implemented on a system if >>>>> the >>>>> Labeled IPSec or CIPSO/CALIPSO is not being used (hence 'fallback >>>>> @@ -217,9 +242,20 @@ netlabelctl -p map list >>>>> Note that the security contexts must be valid in the policy otherwise the >>>>> commands will fail. >>>>> +Before the NetLabel rules can be loaded, TE rules must be added >>>>> to >>>>> +define the types. Then the rules can allow domains to receive data >>>>> +from objects of `peer` class: >>>>> + >>>>> +``` >>>>> +type netlabel_sctp_peer_t; >>>>> + >>>>> +allow my_server_t netlabel_sctp_peer_t:peer recv; >>>>> +``` >>>>> +Note that sending can't be controlled with `peer` class. >>>>> + >>>>> <br> >>>>> -## NetLabel – CIPSO/CALIPSO >>>>> +## Labeled Networking: NetLabel – CIPSO/CALIPSO >>>>> To allow MLS [**security levels**](mls_mcs.md#security-levels) >>>>> to be passed >>>>> over a network between MLS >>>>> @@ -288,7 +324,7 @@ section, plus the standard Fedora 'targeted' policy for the tests. >>>>> <br> >>>>> -## Labeled IPSec >>>>> +## Labeled Networking: Labeled IPSec >>>>> Labeled IPSec has been built into the standard GNU / Linux >>>>> IPSec >>>>> services as described in the >>>>> @@ -451,6 +487,98 @@ The *selinux-testsuite tools/nfs.sh* tests labeled NFS using various labels. >>>>> <br> >>>>> +## Access Control for Network Interfaces >>>>> + >>>>> +SELinux domains can be restricted to use only specific network >>>>> +interfaces. TE rules must define the interface types and then allow a >>>>> +domain to `egress` in class `netif` for the defined interface types: >>>>> + >>>>> +``` >>>>> +require { >>>>> + attribute netif_type; >>>>> +} >>>>> + >>>>> +type external_if_t, netif_type; >>>>> +type loopback_if_t, netif_type; >>>>> + >>>>> +allow my_server_t external_if_t:netif egress; >>>>> +allow my_server_t loopback_if_t:netif egress; >>>>> +``` >>>>> + >>>>> +The interfaces must also be labeled with ***semanage**(8)* (or by >>>>> +using `netifcon` statements in the policy): >>>>> +``` >>>>> +semanage interface -a -t loopback_if_t -r s0 lo >>>>> +semanage interface -a -t external_if_t -r s0 eth0 >>>>> +``` >>>>> + >>>>> +Note that reception can't be controlled with `netif` class. >>>> >>>> Probably nothing but I did not understand this: Is reception not >>>> controlled with the netif ingress permission? >>> >>> I'm no expert, but the only netif ingress rules which I have are >>> rather generic: >>> >>> allow internet_peer_t external_if_t:netif ingress; >>> allow link_local_peer_t external_if_t:netif ingress; >>> allow localnet_peer_t external_if_t:netif ingress; >>> allow multicast_peer_t external_if_t:netif ingress; >>> allow loopback_peer_t loopback_if_t:netif ingress; >>> >>> `peer` types above have been added with NetLabel rules like: >>> >>> netlabelctl unlbl add default address:2000::/3 >>> label:system_u:object_r:internet_peer_t:s0 >>> >>> Perhaps this would be better: >>> >>> Note that reception for application domains can't be controlled with >>> `netif` class. >>> >> >> I look at it this way: peers *are* processes, You seem to >> essentually use peers as nodes above. > > I think both are true. When labeled IPSec is used, it's probably (I > haven't tried it yet) possible to identify peers at process > level. Without IPSec it's only possible to get peer labeling with > NetLabel rules, which only allow IP address (host or even networks of > hosts) level accuracy. > The thing, i think, is that netlabel is limited and really geared towards MLS, it will only send levels over the wire i believe (except for loopback) By AFAIK the point of netlabel is to be able enforce mult-level security on secure networks. For example you could have a ssh server running on a particular level. In other words netlabel AFAIK should be able to send a process/peer level over the network AFAIK. >> It would become more clear if you would try this out with labeled ipsec. >> A peer, in my experience is kind of the same as an association in the >> labeled ipsec scenario (the classes actually overlap). That is also why >> you should probably disable the netlabel_peer_controls polcap if you use >> labeled ipsec. > > Right, but I think my setup could be useful for cases where labeled > IPSec is not used. > > Do you see AVC denials etc. for netif *ingress* for process level > domains with labeled IPSec? I use to have extensive recordings and blogs about this matter but i erased it all, and i currently dont have a ipsec tunnel, or avc denials, but I do vaguely recall that the ingress with labeled ipsec was on a per process level. I might be wrong though. I would probably just omit the line about the reception to be on the safe side. (can always add that later if needed) > > -Topi > >>>> >>>>> + >>>>> +<br> >>>>> + >>>>> +## Access Control for Network Nodes >>>>> + >>>>> +Domains can be restricted by SELinux to access and bind sockets to >>>>> +only dedicated network nodes (in practice, IP addresses). >>>>> + >>>>> +The node types must be defined and then the node types can be used for >>>>> +TE rules as target context. TE rules to allow a domain to `sendto` for >>>>> +class `node` and to `node_bind` (for incoming connections) for class >>>>> +`tcp_socket`: >>>>> + >>>>> +``` >>>>> +require { >>>>> + attribute node_type; >>>>> +} >>>>> + >>>>> +type loopback_node_t, node_type; >>>>> +type internet_node_t, node_type; >>>>> +type link_local_node_t, node_type; >>>>> +type multicast_node_t, node_type; >>>>> + >>>>> +allow my_server_t loopback_node_t:node sendto; >>>>> +allow my_server_t loopback_node_t:tcp_socket node_bind; >>>>> +allow my_server_t internet_node_t:node sendto; >>>>> +``` >>>>> + >>>>> +After the types have been defined, corresponding node rules can be >>>>> +added with `semanage` (or `nodecon` statements): >>>>> +``` >>>>> +semanage node -a -M /128 -p ipv6 -t loopback_node_t -r s0 ::1 >>>>> +semanage node -a -M /3 -p ipv6 -t internet_node_t -r s0 2000:: >>>>> +semanage node -a -M /8 -p ipv6 -t link_local_node_t -r s0 fe00:: >>>>> +semanage node -a -M /8 -p ipv6 -t multicast_node_t -r s0 ff00:: >>>>> +``` >>>>> + >>>>> +<br> >>>>> + >>>>> +## Access Control for Network Ports >>>>> + >>>>> +SELinux policy can also control access to ports used by various >>>>> +networking protocols such as TCP, UDP, SCTP and DCCP. TE rules must >>>>> +define the port types and then allow a domain to `name_connect` >>>>> +(outgoing) or `name_bind` (incoming) in class `tcp_socket` (or >>>>> +`udp_socket` etc) for the defined port types: >>>>> + >>>>> +``` >>>>> +require { >>>>> + attribute port_type; >>>>> +} >>>>> + >>>>> +type my_server_port_t, port_type; >>>>> + >>>>> +allow my_server_t my_server_port_t:tcp_socket name_connect; >>>>> +allow my_server_t my_server_port_t:tcp_socket name_bind; >>>>> +``` >>>>> + >>>>> +The ports must also be labeled with `semanage` (or `portcon` >>>>> +statements): >>>>> +``` >>>>> +semanage port -a -t my_server_port_t -p tcp -r s0 12345 >>>>> +``` >>>>> + >>>>> +<br> >>>>> + >>>>> <section class="footnotes"> >>>>> <ol> >>>>> <li id="fnn1"><p>For example, an ftp session where the server is >>>>> listening on a specific port (the destination port) but the client >>>>> will be assigned a random source port. The CONNSECMARK will ensure >>>>> that all packets for the ftp session are marked with the same label.<a >>>>> href="#fnnet1" class="footnote-back">↩</a></p></li> >>>> >>> >> > -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] Improve network_support.md 2020-07-27 20:36 ` Dominick Grift @ 2020-07-27 21:44 ` Topi Miettinen 2020-07-28 3:12 ` Paul Moore 2020-07-28 3:08 ` Paul Moore 1 sibling, 1 reply; 14+ messages in thread From: Topi Miettinen @ 2020-07-27 21:44 UTC (permalink / raw) To: Dominick Grift; +Cc: selinux On 27.7.2020 23.36, Dominick Grift wrote: > Topi Miettinen <toiwoton@gmail.com> writes: > >> On 27.7.2020 18.39, Dominick Grift wrote: >>> Topi Miettinen <toiwoton@gmail.com> writes: >>> >>>> On 27.7.2020 16.57, Dominick Grift wrote: >>>>> Topi Miettinen <toiwoton@gmail.com> writes: >>>>> >>>>>> List all access control methods available for networking and provide >>>>>> examples for each. >>>>>> >>>>>> Signed-off-by: Topi Miettinen <toiwoton@gmail.com> >>>>>> >>>>>> --- >>>>>> v2: address comments from Richard Haines >>>>>> --- >>>>>> src/network_statements.md | 2 +- >>>>>> src/network_support.md | 170 +++++++++++++++++++++++++++++++++----- >>>>>> 2 files changed, 150 insertions(+), 22 deletions(-) >>>>>> >>>>>> diff --git a/src/network_statements.md b/src/network_statements.md >>>>>> index ef1c873..357c3b1 100644 >>>>>> --- a/src/network_statements.md >>>>>> +++ b/src/network_statements.md >>>>>> @@ -102,7 +102,7 @@ the interface to a security context. >>>>>> <tr> >>>>>> <td><code>packet_context</code></td> >>>>>> <td><p>The security context allocated packets. Note that these are defined but unused.</p> >>>>>> -<p>The iptables(8)/nftables(8) <a href="network_support.md#secmark">SECMARK services</a> should be used to label packets.</p></td> >>>>>> +<p>The iptables(8)/nftables(8) <a >>>>>> href="network_support.md#internal-labeling-secmark">SECMARK >>>>>> services</a> should be used to label packets.</p></td> >>>>>> </tr> >>>>>> </tbody> >>>>>> </table> >>>>>> diff --git a/src/network_support.md b/src/network_support.md >>>>>> index 309e863..6f9896b 100644 >>>>>> --- a/src/network_support.md >>>>>> +++ b/src/network_support.md >>>>>> @@ -1,20 +1,17 @@ >>>>>> # SELinux Networking Support >>>>>> -SELinux supports the following types of network labeling: >>>>>> +SELinux supports several methods for access control of networks. These are >>>>>> -**Internal labeling** - This is where network objects are >>>>>> labeled and >>>>>> -managed internally within a single machine (i.e. their labels are not >>>>>> -transmitted as part of the session with remote systems). There are two >>>>>> -types supported: SECMARK and NetLabel. There was a service known as >>>>>> -'compat_net' controls, however that was removed in kernel 2.6.30. >>>>>> +* Packet labeling: class `packet` >>>>>> +* Peer labeling: class `peer` >>>>>> +* Interface control: class `netif` >>>>>> +* Network node control: class `node` >>>>>> +* TCP/UDP/SCTP/DCCP ports: class `port` >>>>>> -**Labeled Networking** - This is where labels are passed to/from >>>>>> remote >>>>>> -systems where they can be interpreted and a MAC policy enforced on each >>>>>> -system. There are three types supported: Labeled IPSec, CIPSO >>>>>> -(Commercial IP Security Option) and CALIPSO (Common Architecture Label >>>>>> -IPv6 Security Option) >>>>>> +Networking support is not enabled by default. It can be enabled either >>>>>> +the policy capabilities or by loading SECMARK rules. >>>>>> -There are two policy capability options that can be set within >>>>>> policy >>>>>> +There are three policy capability options that can be set within policy >>>>>> using the `policycap` statement that affect networking configuration: >>>>>> **`network_peer_controls`** - This is always enabled in the >>>>>> latest >>>>>> @@ -37,8 +34,22 @@ The policy capability settings are available in userspace via the >>>>>> SELinux filesystem as shown in the >>>>>> [**SELinux Filesystem**](lsm_selinux.md#selinux-filesystem) section. >>>>>> -To support peer labeling, CIPSO and CALIPSO the NetLabel tools >>>>>> need to >>>>>> -be installed: >>>>>> +SELinux supports the following types of network labeling: >>>>>> + >>>>>> +**Internal labeling** - This is where network objects are labeled and >>>>>> +managed internally within a single machine (i.e. their labels are not >>>>>> +transmitted as part of the session with remote systems). There are two >>>>>> +types supported: SECMARK and NetLabel. There was a service known as >>>>>> +'compat_net' controls, however that was removed in kernel 2.6.30. >>>>>> + >>>>>> +**Labeled Networking** - This is where labels are passed to/from remote >>>>>> +systems where they can be interpreted and a MAC policy enforced on each >>>>>> +system. There are three types supported: Labeled IPSec, CIPSO >>>>>> +(Commercial IP Security Option) and CALIPSO (Common Architecture Label >>>>>> +IPv6 Security Option). >>>>>> + >>>>>> +To support peer labeling with CIPSO and CALIPSO or fallback labeling, >>>>>> +the NetLabel tools need to be installed: >>>>>> `dnf install netlabel_tools` >>>>>> @@ -52,8 +63,12 @@ OpenSwan but is now distributed as LibreSwan: >>>>>> `dnf install libreswan` >>>>>> It is important to note that the kernel must be configured to >>>>>> support >>>>>> -these services. The Fedora kernels are configured to handle all the above >>>>>> -services. >>>>>> +these services (`CONFIG_NETLABEL`, `CONFIG_NETWORK_SECMARK`, >>>>>> +`CONFIG_NF_CONNTRACK_SECMARK`, >>>>>> +`CONFIG_NETFILTER_XT_TARGET_CONNSECMARK`, >>>>>> +`CONFIG_NETFILTER_XT_TARGET_SECMARK`, `CONFIG_IP_NF_SECURITY`, >>>>>> +`CONFIG_IP6_NF_SECURITY`). At least Fedora and Debian kernels are >>>>>> +configured to handle all the above services. >>>>>> The Linux networking package *iproute* has an SELinux aware >>>>>> socket >>>>>> statistics command ***ss**(8)* that will show the SELinux context of >>>>>> @@ -65,7 +80,7 @@ to achieve this). >>>>>> <br> >>>>>> -## SECMARK >>>>>> +## Internal labeling: SECMARK >>>>>> SECMARK makes use of the standard kernel NetFilter framework >>>>>> that >>>>>> underpins the GNU / Linux IP networking sub-system. NetFilter services >>>>>> @@ -73,7 +88,7 @@ automatically inspects all incoming and outgoing packets and can place >>>>>> controls on interfaces, IP addresses (nodes) and ports with the added >>>>>> advantage of connection tracking. The SECMARK security extensions allow >>>>>> security contexts to be added to packets (SECMARK) or sessions >>>>>> -(CONNSECMARK). >>>>>> +(CONNSECMARK), belonging to object class of `packet`. >>>>>> The NetFilter framework inspects and tag packets with labels as >>>>>> defined >>>>>> within ***iptables**(8)* (also 'nftables' ***nft**(8)* from version 9.3 with >>>>>> @@ -172,6 +187,16 @@ table ip6 security { >>>>>> } >>>>>> ``` >>>>>> +Before the SECMARK rules can be loaded, TE rules must be added >>>>>> to >>>>>> +define the types, and also allow domains to send and/or receive >>>>>> +objects of `packet` class: >>>>>> + >>>>>> +``` >>>>>> +type test_server_packet_t, packet_type; >>>>>> + >>>>>> +allow my_server_t test_server_packet_t:packet { send recv }; >>>>>> +``` >>>>>> + >>>>>> The following articles explain the SECMARK service: >>>>>> - [*Transitioning to Secmark*](http://paulmoore.livejournal.com/4281.html) >>>>>> - [New secmark-based network controls for SELinux](http://james-morris.livejournal.com/11010.html) >>>>>> @@ -179,7 +204,7 @@ The following articles explain the SECMARK service: >>>>>> <br> >>>>>> -## NetLabel - Fallback Peer Labeling >>>>>> +## Internal labeling: NetLabel - Fallback Peer Labeling >>>>>> Fallback labeling can optionally be implemented on a system if >>>>>> the >>>>>> Labeled IPSec or CIPSO/CALIPSO is not being used (hence 'fallback >>>>>> @@ -217,9 +242,20 @@ netlabelctl -p map list >>>>>> Note that the security contexts must be valid in the policy otherwise the >>>>>> commands will fail. >>>>>> +Before the NetLabel rules can be loaded, TE rules must be added >>>>>> to >>>>>> +define the types. Then the rules can allow domains to receive data >>>>>> +from objects of `peer` class: >>>>>> + >>>>>> +``` >>>>>> +type netlabel_sctp_peer_t; >>>>>> + >>>>>> +allow my_server_t netlabel_sctp_peer_t:peer recv; >>>>>> +``` >>>>>> +Note that sending can't be controlled with `peer` class. >>>>>> + >>>>>> <br> >>>>>> -## NetLabel – CIPSO/CALIPSO >>>>>> +## Labeled Networking: NetLabel – CIPSO/CALIPSO >>>>>> To allow MLS [**security levels**](mls_mcs.md#security-levels) >>>>>> to be passed >>>>>> over a network between MLS >>>>>> @@ -288,7 +324,7 @@ section, plus the standard Fedora 'targeted' policy for the tests. >>>>>> <br> >>>>>> -## Labeled IPSec >>>>>> +## Labeled Networking: Labeled IPSec >>>>>> Labeled IPSec has been built into the standard GNU / Linux >>>>>> IPSec >>>>>> services as described in the >>>>>> @@ -451,6 +487,98 @@ The *selinux-testsuite tools/nfs.sh* tests labeled NFS using various labels. >>>>>> <br> >>>>>> +## Access Control for Network Interfaces >>>>>> + >>>>>> +SELinux domains can be restricted to use only specific network >>>>>> +interfaces. TE rules must define the interface types and then allow a >>>>>> +domain to `egress` in class `netif` for the defined interface types: >>>>>> + >>>>>> +``` >>>>>> +require { >>>>>> + attribute netif_type; >>>>>> +} >>>>>> + >>>>>> +type external_if_t, netif_type; >>>>>> +type loopback_if_t, netif_type; >>>>>> + >>>>>> +allow my_server_t external_if_t:netif egress; >>>>>> +allow my_server_t loopback_if_t:netif egress; >>>>>> +``` >>>>>> + >>>>>> +The interfaces must also be labeled with ***semanage**(8)* (or by >>>>>> +using `netifcon` statements in the policy): >>>>>> +``` >>>>>> +semanage interface -a -t loopback_if_t -r s0 lo >>>>>> +semanage interface -a -t external_if_t -r s0 eth0 >>>>>> +``` >>>>>> + >>>>>> +Note that reception can't be controlled with `netif` class. >>>>> >>>>> Probably nothing but I did not understand this: Is reception not >>>>> controlled with the netif ingress permission? >>>> >>>> I'm no expert, but the only netif ingress rules which I have are >>>> rather generic: >>>> >>>> allow internet_peer_t external_if_t:netif ingress; >>>> allow link_local_peer_t external_if_t:netif ingress; >>>> allow localnet_peer_t external_if_t:netif ingress; >>>> allow multicast_peer_t external_if_t:netif ingress; >>>> allow loopback_peer_t loopback_if_t:netif ingress; >>>> >>>> `peer` types above have been added with NetLabel rules like: >>>> >>>> netlabelctl unlbl add default address:2000::/3 >>>> label:system_u:object_r:internet_peer_t:s0 >>>> >>>> Perhaps this would be better: >>>> >>>> Note that reception for application domains can't be controlled with >>>> `netif` class. >>>> >>> >>> I look at it this way: peers *are* processes, You seem to >>> essentually use peers as nodes above. >> >> I think both are true. When labeled IPSec is used, it's probably (I >> haven't tried it yet) possible to identify peers at process >> level. Without IPSec it's only possible to get peer labeling with >> NetLabel rules, which only allow IP address (host or even networks of >> hosts) level accuracy. >> > > The thing, i think, is that netlabel is limited and really geared > towards MLS, it will only send levels over the wire i believe (except for loopback) > > By AFAIK the point of netlabel is to be able enforce mult-level security > on secure networks. For example you could have a ssh server running on a > particular level. In other words netlabel AFAIK should be able to send a > process/peer level over the network AFAIK. I think this applies to CIPSO/CALIPSO but not `unlabeled` mode which is used in my example. MLS is not very interesting for users in general and so neither will be CIPSO/CALIPSO. Maybe labeled IPSec could be useful in some controlled corporate environments where all parties are relatively trusted. But I think `unlabeled` mode, together with other networking controls, could be very useful for all users. For some reason, it's bit hard in Linux to give each application an individual firewall while this has been easy in Windows for a long time. With SELinux network controls it's possible to enforce application level access control but the knobs seem to be weird. >>> It would become more clear if you would try this out with labeled ipsec. >>> A peer, in my experience is kind of the same as an association in the >>> labeled ipsec scenario (the classes actually overlap). That is also why >>> you should probably disable the netlabel_peer_controls polcap if you use >>> labeled ipsec. >> >> Right, but I think my setup could be useful for cases where labeled >> IPSec is not used. >> >> Do you see AVC denials etc. for netif *ingress* for process level >> domains with labeled IPSec? > > I use to have extensive recordings and blogs about this matter but i > erased it all, and i currently dont have a ipsec tunnel, or avc denials, > but I do vaguely recall that the ingress with labeled ipsec was on a per process > level. I might be wrong though. > > I would probably just omit the line about the reception to be on the > safe side. (can always add that later if needed) Yes, that's probably safer. -Topi > >> >> -Topi >> >>>>> >>>>>> + >>>>>> +<br> >>>>>> + >>>>>> +## Access Control for Network Nodes >>>>>> + >>>>>> +Domains can be restricted by SELinux to access and bind sockets to >>>>>> +only dedicated network nodes (in practice, IP addresses). >>>>>> + >>>>>> +The node types must be defined and then the node types can be used for >>>>>> +TE rules as target context. TE rules to allow a domain to `sendto` for >>>>>> +class `node` and to `node_bind` (for incoming connections) for class >>>>>> +`tcp_socket`: >>>>>> + >>>>>> +``` >>>>>> +require { >>>>>> + attribute node_type; >>>>>> +} >>>>>> + >>>>>> +type loopback_node_t, node_type; >>>>>> +type internet_node_t, node_type; >>>>>> +type link_local_node_t, node_type; >>>>>> +type multicast_node_t, node_type; >>>>>> + >>>>>> +allow my_server_t loopback_node_t:node sendto; >>>>>> +allow my_server_t loopback_node_t:tcp_socket node_bind; >>>>>> +allow my_server_t internet_node_t:node sendto; >>>>>> +``` >>>>>> + >>>>>> +After the types have been defined, corresponding node rules can be >>>>>> +added with `semanage` (or `nodecon` statements): >>>>>> +``` >>>>>> +semanage node -a -M /128 -p ipv6 -t loopback_node_t -r s0 ::1 >>>>>> +semanage node -a -M /3 -p ipv6 -t internet_node_t -r s0 2000:: >>>>>> +semanage node -a -M /8 -p ipv6 -t link_local_node_t -r s0 fe00:: >>>>>> +semanage node -a -M /8 -p ipv6 -t multicast_node_t -r s0 ff00:: >>>>>> +``` >>>>>> + >>>>>> +<br> >>>>>> + >>>>>> +## Access Control for Network Ports >>>>>> + >>>>>> +SELinux policy can also control access to ports used by various >>>>>> +networking protocols such as TCP, UDP, SCTP and DCCP. TE rules must >>>>>> +define the port types and then allow a domain to `name_connect` >>>>>> +(outgoing) or `name_bind` (incoming) in class `tcp_socket` (or >>>>>> +`udp_socket` etc) for the defined port types: >>>>>> + >>>>>> +``` >>>>>> +require { >>>>>> + attribute port_type; >>>>>> +} >>>>>> + >>>>>> +type my_server_port_t, port_type; >>>>>> + >>>>>> +allow my_server_t my_server_port_t:tcp_socket name_connect; >>>>>> +allow my_server_t my_server_port_t:tcp_socket name_bind; >>>>>> +``` >>>>>> + >>>>>> +The ports must also be labeled with `semanage` (or `portcon` >>>>>> +statements): >>>>>> +``` >>>>>> +semanage port -a -t my_server_port_t -p tcp -r s0 12345 >>>>>> +``` >>>>>> + >>>>>> +<br> >>>>>> + >>>>>> <section class="footnotes"> >>>>>> <ol> >>>>>> <li id="fnn1"><p>For example, an ftp session where the server is >>>>>> listening on a specific port (the destination port) but the client >>>>>> will be assigned a random source port. The CONNSECMARK will ensure >>>>>> that all packets for the ftp session are marked with the same label.<a >>>>>> href="#fnnet1" class="footnote-back">↩</a></p></li> >>>>> >>>> >>> >> > ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] Improve network_support.md 2020-07-27 21:44 ` Topi Miettinen @ 2020-07-28 3:12 ` Paul Moore 0 siblings, 0 replies; 14+ messages in thread From: Paul Moore @ 2020-07-28 3:12 UTC (permalink / raw) To: Topi Miettinen; +Cc: Dominick Grift, selinux On Mon, Jul 27, 2020 at 5:44 PM Topi Miettinen <toiwoton@gmail.com> wrote: > MLS is not very interesting for users in general and so neither will be > CIPSO/CALIPSO. Maybe labeled IPSec could be useful in some controlled > corporate environments where all parties are relatively trusted. Don't forget that in most cases when you see "MLS" in the context of SELinux, you should think "MLS" or "MCS". While MLS may have limited interest outside of a few specific types of users, MCS is what underpins SELinux's virtualization and container security for most users. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] Improve network_support.md 2020-07-27 20:36 ` Dominick Grift 2020-07-27 21:44 ` Topi Miettinen @ 2020-07-28 3:08 ` Paul Moore 1 sibling, 0 replies; 14+ messages in thread From: Paul Moore @ 2020-07-28 3:08 UTC (permalink / raw) To: Dominick Grift; +Cc: Topi Miettinen, selinux On Mon, Jul 27, 2020 at 4:36 PM Dominick Grift <dominick.grift@defensec.nl> wrote: > The thing, i think, is that netlabel is limited and really geared > towards MLS, it will only send levels over the wire i believe (except for loopback) > > By AFAIK the point of netlabel is to be able enforce mult-level security > on secure networks. For example you could have a ssh server running on a > particular level. In other words netlabel AFAIK should be able to send a > process/peer level over the network AFAIK. The original motivation behind NetLabel was to provide an interoperable labeled networking mechanism that would allow SELinux to talk to (at the time) existing trusted UNIX systems such as Trusted Solaris. The NetLabel framework abstraction was created both to be able to support multiple different labeling protocols (CIPSO, CALIPSO, fallback/static) as well as to support multiple LSMs (SELinux, Smack). Beyond this, we start getting into a bit of a rathole of comparing network labeling designs and implementations which gets very ugly, very quickly. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] Improve network_support.md 2020-07-27 15:39 ` Dominick Grift 2020-07-27 20:20 ` Topi Miettinen @ 2020-07-28 2:57 ` Paul Moore 1 sibling, 0 replies; 14+ messages in thread From: Paul Moore @ 2020-07-28 2:57 UTC (permalink / raw) To: Dominick Grift; +Cc: Topi Miettinen, selinux On Mon, Jul 27, 2020 at 11:39 AM Dominick Grift <dominick.grift@defensec.nl> wrote: > Topi Miettinen <toiwoton@gmail.com> writes: > > I'm no expert, but the only netif ingress rules which I have are > > rather generic: > > > > allow internet_peer_t external_if_t:netif ingress; > > allow link_local_peer_t external_if_t:netif ingress; > > allow localnet_peer_t external_if_t:netif ingress; > > allow multicast_peer_t external_if_t:netif ingress; > > allow loopback_peer_t loopback_if_t:netif ingress; > > > > `peer` types above have been added with NetLabel rules like: > > > > netlabelctl unlbl add default address:2000::/3 > > label:system_u:object_r:internet_peer_t:s0 > > > > Perhaps this would be better: > > > > Note that reception for application domains can't be controlled with > > `netif` class. > > > > I look at it this way: peers *are* processes, You seem to > essentually use peers as nodes above. Peer labels are essentially process labels (that isn't 100% correct, but it is close enough for this particular discussion). In the netif/ingress access control, the subject is the peer label of the *remote* peer, not the receiving process on the local system. If you were running a web server on your system under httpd_t and a remote node connected to your web server with firefox running under firefox_t, you would need the following netif/ingress rule: allow firefox_t external_if_t:netif ingress; You will note that it is firefox_t and *not* httpd_t as the subject. > It would become more clear if you would try this out with labeled ipsec. > A peer, in my experience is kind of the same as an association in the > labeled ipsec scenario (the classes actually overlap). That is also why > you should probably disable the netlabel_peer_controls polcap if you use > labeled ipsec. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] Improve network_support.md 2020-07-27 13:57 ` Dominick Grift 2020-07-27 15:21 ` Topi Miettinen @ 2020-07-28 2:49 ` Paul Moore 1 sibling, 0 replies; 14+ messages in thread From: Paul Moore @ 2020-07-28 2:49 UTC (permalink / raw) To: Dominick Grift; +Cc: Topi Miettinen, selinux On Mon, Jul 27, 2020 at 9:57 AM Dominick Grift <dominick.grift@defensec.nl> wrote: > > Probably nothing but I did not understand this: Is reception not > controlled with the netif ingress permission? Yes, the netif/ingress and node/recvfrom permissions are checked when packets are received; in both cases the subject is the peer labels (think the security context of the remote network peer) and the objects are the network interface's label or network node's label, respectively. This is pretty old, almost twelve years old, but it should still be accurate: * https://www.paul-moore.com/blog/d/2008/12/network_ingress_egress_controls.html -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] Improve network_support.md 2020-07-27 13:04 [PATCH v2] Improve network_support.md Topi Miettinen 2020-07-27 13:57 ` Dominick Grift @ 2020-07-28 2:44 ` Paul Moore 2020-07-28 10:30 ` Topi Miettinen 1 sibling, 1 reply; 14+ messages in thread From: Paul Moore @ 2020-07-28 2:44 UTC (permalink / raw) To: Topi Miettinen; +Cc: selinux On Mon, Jul 27, 2020 at 9:04 AM Topi Miettinen <toiwoton@gmail.com> wrote: > > List all access control methods available for networking and provide > examples for each. > > Signed-off-by: Topi Miettinen <toiwoton@gmail.com> > > --- > v2: address comments from Richard Haines > --- > src/network_statements.md | 2 +- > src/network_support.md | 170 +++++++++++++++++++++++++++++++++----- > 2 files changed, 150 insertions(+), 22 deletions(-) > > diff --git a/src/network_statements.md b/src/network_statements.md > index ef1c873..357c3b1 100644 > --- a/src/network_statements.md > +++ b/src/network_statements.md > @@ -102,7 +102,7 @@ the interface to a security context. > <tr> > <td><code>packet_context</code></td> > <td><p>The security context allocated packets. Note that these are defined but unused.</p> > -<p>The iptables(8)/nftables(8) <a href="network_support.md#secmark">SECMARK services</a> should be used to label packets.</p></td> > +<p>The iptables(8)/nftables(8) <a href="network_support.md#internal-labeling-secmark">SECMARK services</a> should be used to label packets.</p></td> > </tr> > </tbody> > </table> > diff --git a/src/network_support.md b/src/network_support.md > index 309e863..6f9896b 100644 > --- a/src/network_support.md > +++ b/src/network_support.md > @@ -1,20 +1,17 @@ > # SELinux Networking Support > > -SELinux supports the following types of network labeling: > +SELinux supports several methods for access control of networks. These are > > -**Internal labeling** - This is where network objects are labeled and > -managed internally within a single machine (i.e. their labels are not > -transmitted as part of the session with remote systems). There are two > -types supported: SECMARK and NetLabel. There was a service known as > -'compat_net' controls, however that was removed in kernel 2.6.30. > +* Packet labeling: class `packet` > +* Peer labeling: class `peer` > +* Interface control: class `netif` > +* Network node control: class `node` > +* TCP/UDP/SCTP/DCCP ports: class `port` For whatever it is worth, I've always thought of the SELinux network access controls as being composed of two parts: socket layer controls and packet layer controls (or per-packet controls). The packet layer controls are further divided into the "peer" and "secmark" controls. The socket layer controls are the access controls which closely mimic the socket syscalls and typically involve checking if a running task can perform an operation on a network socket, e.g. bind(). These are usually easy to understand and don't require any special network configuration. The packet layer controls are where things start to get interesting as this is where we apply SELinux security policy to individual packets as they flow into, out of, and through the system. As mentioned above, the packet layer controls are comprised of both "peer" and "secmark" controls. The "peer" controls are those access controls which compare the security attributes (SELinux label) of the sending peer with the security context of the receiving peer. The "secmark" controls compare the network attributes (e.g. IP header values) with the sending or receiving task's security attributes. It get's very complicated very quickly, but a simple example is to think of the "peer" access controls as restricting firefox_t to talking only to httpd_t, while the "secmark" access controls restrict firefox_t to talking only to network services on TCP port 80. Secmark is (obviously) the "secmark" access controls. Labeled IPsec and the NetLabel framework are the current "peer" access controls, with NetLabel supporting CIPSO for IPv4, CALIPSO for IPv6, and a fallback/static labeling for unlabeled IPv4 and IPv6 networks. > -**Labeled Networking** - This is where labels are passed to/from remote > -systems where they can be interpreted and a MAC policy enforced on each > -system. There are three types supported: Labeled IPSec, CIPSO > -(Commercial IP Security Option) and CALIPSO (Common Architecture Label > -IPv6 Security Option) > +Networking support is not enabled by default. It can be enabled either > +the policy capabilities or by loading SECMARK rules. > > -There are two policy capability options that can be set within policy > +There are three policy capability options that can be set within policy > using the `policycap` statement that affect networking configuration: > > **`network_peer_controls`** - This is always enabled in the latest > @@ -37,8 +34,22 @@ The policy capability settings are available in userspace via the > SELinux filesystem as shown in the > [**SELinux Filesystem**](lsm_selinux.md#selinux-filesystem) section. > > -To support peer labeling, CIPSO and CALIPSO the NetLabel tools need to > -be installed: > +SELinux supports the following types of network labeling: > + > +**Internal labeling** - This is where network objects are labeled and > +managed internally within a single machine (i.e. their labels are not > +transmitted as part of the session with remote systems). There are two > +types supported: SECMARK and NetLabel. There was a service known as > +'compat_net' controls, however that was removed in kernel 2.6.30. Using your terminology, NetLabel is external or "labeled networking". NetLabel is a framework for explicit network labeling that abstracts away the underlying labeling protocol from the LSMs. It provides CIPSO, CALIPSO, and fallback/static protocol support to SELinux (and Smack). > +**Labeled Networking** - This is where labels are passed to/from remote > +systems where they can be interpreted and a MAC policy enforced on each > +system. There are three types supported: Labeled IPSec, CIPSO > +(Commercial IP Security Option) and CALIPSO (Common Architecture Label > +IPv6 Security Option). > + > +To support peer labeling with CIPSO and CALIPSO or fallback labeling, > +the NetLabel tools need to be installed: -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] Improve network_support.md 2020-07-28 2:44 ` Paul Moore @ 2020-07-28 10:30 ` Topi Miettinen 2020-07-28 22:00 ` Paul Moore 0 siblings, 1 reply; 14+ messages in thread From: Topi Miettinen @ 2020-07-28 10:30 UTC (permalink / raw) To: Paul Moore; +Cc: selinux On 28.7.2020 5.44, Paul Moore wrote: > On Mon, Jul 27, 2020 at 9:04 AM Topi Miettinen <toiwoton@gmail.com> wrote: >> >> List all access control methods available for networking and provide >> examples for each. >> >> Signed-off-by: Topi Miettinen <toiwoton@gmail.com> >> >> --- >> v2: address comments from Richard Haines >> --- >> src/network_statements.md | 2 +- >> src/network_support.md | 170 +++++++++++++++++++++++++++++++++----- >> 2 files changed, 150 insertions(+), 22 deletions(-) >> >> diff --git a/src/network_statements.md b/src/network_statements.md >> index ef1c873..357c3b1 100644 >> --- a/src/network_statements.md >> +++ b/src/network_statements.md >> @@ -102,7 +102,7 @@ the interface to a security context. >> <tr> >> <td><code>packet_context</code></td> >> <td><p>The security context allocated packets. Note that these are defined but unused.</p> >> -<p>The iptables(8)/nftables(8) <a href="network_support.md#secmark">SECMARK services</a> should be used to label packets.</p></td> >> +<p>The iptables(8)/nftables(8) <a href="network_support.md#internal-labeling-secmark">SECMARK services</a> should be used to label packets.</p></td> >> </tr> >> </tbody> >> </table> >> diff --git a/src/network_support.md b/src/network_support.md >> index 309e863..6f9896b 100644 >> --- a/src/network_support.md >> +++ b/src/network_support.md >> @@ -1,20 +1,17 @@ >> # SELinux Networking Support >> >> -SELinux supports the following types of network labeling: >> +SELinux supports several methods for access control of networks. These are >> >> -**Internal labeling** - This is where network objects are labeled and >> -managed internally within a single machine (i.e. their labels are not >> -transmitted as part of the session with remote systems). There are two >> -types supported: SECMARK and NetLabel. There was a service known as >> -'compat_net' controls, however that was removed in kernel 2.6.30. >> +* Packet labeling: class `packet` >> +* Peer labeling: class `peer` >> +* Interface control: class `netif` >> +* Network node control: class `node` >> +* TCP/UDP/SCTP/DCCP ports: class `port` > > For whatever it is worth, I've always thought of the SELinux network > access controls as being composed of two parts: socket layer controls > and packet layer controls (or per-packet controls). The packet layer > controls are further divided into the "peer" and "secmark" controls. This could be a more easily understandable way to describe the access controls, at least `port` would fall to socket layer controls nicely. Would this division work with netifs and nodes? > The socket layer controls are the access controls which closely mimic > the socket syscalls and typically involve checking if a running task > can perform an operation on a network socket, e.g. bind(). These are > usually easy to understand and don't require any special network > configuration. > > The packet layer controls are where things start to get interesting as > this is where we apply SELinux security policy to individual packets > as they flow into, out of, and through the system. As mentioned > above, the packet layer controls are comprised of both "peer" and > "secmark" controls. The "peer" controls are those access controls > which compare the security attributes (SELinux label) of the sending > peer with the security context of the receiving peer. The "secmark" > controls compare the network attributes (e.g. IP header values) with > the sending or receiving task's security attributes. It get's very > complicated very quickly, but a simple example is to think of the > "peer" access controls as restricting firefox_t to talking only to > httpd_t, while the "secmark" access controls restrict firefox_t to > talking only to network services on TCP port 80. > > Secmark is (obviously) the "secmark" access controls. > > Labeled IPsec and the NetLabel framework are the current "peer" access > controls, with NetLabel supporting CIPSO for IPv4, CALIPSO for IPv6, > and a fallback/static labeling for unlabeled IPv4 and IPv6 networks. > >> -**Labeled Networking** - This is where labels are passed to/from remote >> -systems where they can be interpreted and a MAC policy enforced on each >> -system. There are three types supported: Labeled IPSec, CIPSO >> -(Commercial IP Security Option) and CALIPSO (Common Architecture Label >> -IPv6 Security Option) >> +Networking support is not enabled by default. It can be enabled either >> +the policy capabilities or by loading SECMARK rules. >> >> -There are two policy capability options that can be set within policy >> +There are three policy capability options that can be set within policy >> using the `policycap` statement that affect networking configuration: >> >> **`network_peer_controls`** - This is always enabled in the latest >> @@ -37,8 +34,22 @@ The policy capability settings are available in userspace via the >> SELinux filesystem as shown in the >> [**SELinux Filesystem**](lsm_selinux.md#selinux-filesystem) section. >> >> -To support peer labeling, CIPSO and CALIPSO the NetLabel tools need to >> -be installed: >> +SELinux supports the following types of network labeling: >> + >> +**Internal labeling** - This is where network objects are labeled and >> +managed internally within a single machine (i.e. their labels are not >> +transmitted as part of the session with remote systems). There are two >> +types supported: SECMARK and NetLabel. There was a service known as >> +'compat_net' controls, however that was removed in kernel 2.6.30. > > Using your terminology, NetLabel is external or "labeled networking". It's not my terminology, the text is just moved down. I think fallback/static labeling part of NetLabel is not external, the labeling happens internally and the labels are not transmitted. -Topi > NetLabel is a framework for explicit network labeling that abstracts > away the underlying labeling protocol from the LSMs. It provides > CIPSO, CALIPSO, and fallback/static protocol support to SELinux (and > Smack). > >> +**Labeled Networking** - This is where labels are passed to/from remote >> +systems where they can be interpreted and a MAC policy enforced on each >> +system. There are three types supported: Labeled IPSec, CIPSO >> +(Commercial IP Security Option) and CALIPSO (Common Architecture Label >> +IPv6 Security Option). >> + >> +To support peer labeling with CIPSO and CALIPSO or fallback labeling, >> +the NetLabel tools need to be installed: > ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] Improve network_support.md 2020-07-28 10:30 ` Topi Miettinen @ 2020-07-28 22:00 ` Paul Moore 0 siblings, 0 replies; 14+ messages in thread From: Paul Moore @ 2020-07-28 22:00 UTC (permalink / raw) To: Topi Miettinen; +Cc: selinux On Tue, Jul 28, 2020 at 6:30 AM Topi Miettinen <toiwoton@gmail.com> wrote: > On 28.7.2020 5.44, Paul Moore wrote: > > On Mon, Jul 27, 2020 at 9:04 AM Topi Miettinen <toiwoton@gmail.com> wrote: > >> > >> List all access control methods available for networking and provide > >> examples for each. > >> > >> Signed-off-by: Topi Miettinen <toiwoton@gmail.com> > >> > >> --- > >> v2: address comments from Richard Haines > >> --- > >> src/network_statements.md | 2 +- > >> src/network_support.md | 170 +++++++++++++++++++++++++++++++++----- > >> 2 files changed, 150 insertions(+), 22 deletions(-) > >> > >> diff --git a/src/network_statements.md b/src/network_statements.md > >> index ef1c873..357c3b1 100644 > >> --- a/src/network_statements.md > >> +++ b/src/network_statements.md > >> @@ -102,7 +102,7 @@ the interface to a security context. > >> <tr> > >> <td><code>packet_context</code></td> > >> <td><p>The security context allocated packets. Note that these are defined but unused.</p> > >> -<p>The iptables(8)/nftables(8) <a href="network_support.md#secmark">SECMARK services</a> should be used to label packets.</p></td> > >> +<p>The iptables(8)/nftables(8) <a href="network_support.md#internal-labeling-secmark">SECMARK services</a> should be used to label packets.</p></td> > >> </tr> > >> </tbody> > >> </table> > >> diff --git a/src/network_support.md b/src/network_support.md > >> index 309e863..6f9896b 100644 > >> --- a/src/network_support.md > >> +++ b/src/network_support.md > >> @@ -1,20 +1,17 @@ > >> # SELinux Networking Support > >> > >> -SELinux supports the following types of network labeling: > >> +SELinux supports several methods for access control of networks. These are > >> > >> -**Internal labeling** - This is where network objects are labeled and > >> -managed internally within a single machine (i.e. their labels are not > >> -transmitted as part of the session with remote systems). There are two > >> -types supported: SECMARK and NetLabel. There was a service known as > >> -'compat_net' controls, however that was removed in kernel 2.6.30. > >> +* Packet labeling: class `packet` > >> +* Peer labeling: class `peer` > >> +* Interface control: class `netif` > >> +* Network node control: class `node` > >> +* TCP/UDP/SCTP/DCCP ports: class `port` > > > > For whatever it is worth, I've always thought of the SELinux network > > access controls as being composed of two parts: socket layer controls > > and packet layer controls (or per-packet controls). The packet layer > > controls are further divided into the "peer" and "secmark" controls. > > This could be a more easily understandable way to describe the access > controls, at least `port` would fall to socket layer controls nicely. Yes, I personally think it is better way to explain the network access controls. > Would this division work with netifs and nodes? I'm not entirely clear on the question, but both the netif/node ingress and egress controls fall into the packet layer. > >> -To support peer labeling, CIPSO and CALIPSO the NetLabel tools need to > >> -be installed: > >> +SELinux supports the following types of network labeling: > >> + > >> +**Internal labeling** - This is where network objects are labeled and > >> +managed internally within a single machine (i.e. their labels are not > >> +transmitted as part of the session with remote systems). There are two > >> +types supported: SECMARK and NetLabel. There was a service known as > >> +'compat_net' controls, however that was removed in kernel 2.6.30. > > > > Using your terminology, NetLabel is external or "labeled networking". > > It's not my terminology, the text is just moved down. My apologies, using the *existing* terminology ... > I think > fallback/static labeling part of NetLabel is not external, the labeling > happens internally and the labels are not transmitted. I guess this is another problem with the "internal" vs "external" approach to the current text. I prefer to think in terms of how the access controls are structured, and as far as SELinux is concerned it only has to worry about calling the general NetLabel APIs; it doesn't matter if CIPSO, CALIPSO, or the static/fallback labeling is concerned, it's all the same. Things get more complicated if you start digging into individual protocols. Look at the different CIPSO tag types, vs the tagless approach taken in CALIPSO. Not to mention the way labeled IPsec works; people get enamored by the encryption/authentication aspects, but it's really a very poor fit for SELinux. There are a number of problems caused by the fact that labeled IPsec is an implicit labeling mechanism that labels SAs and not packets, there are issues around ensuring all of the labels have the same (or close enough) meaning on both systems, and it is likely only to ever work between the SELinux systems. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2020-07-28 22:01 UTC | newest] Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-07-27 13:04 [PATCH v2] Improve network_support.md Topi Miettinen 2020-07-27 13:57 ` Dominick Grift 2020-07-27 15:21 ` Topi Miettinen 2020-07-27 15:39 ` Dominick Grift 2020-07-27 20:20 ` Topi Miettinen 2020-07-27 20:36 ` Dominick Grift 2020-07-27 21:44 ` Topi Miettinen 2020-07-28 3:12 ` Paul Moore 2020-07-28 3:08 ` Paul Moore 2020-07-28 2:57 ` Paul Moore 2020-07-28 2:49 ` Paul Moore 2020-07-28 2:44 ` Paul Moore 2020-07-28 10:30 ` Topi Miettinen 2020-07-28 22:00 ` Paul Moore
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).