type=AVC msg=audit(1128050967.120:12221195): avc: denied { name_bind } for pid=10749 comm="sctp_test" src=1234 scontext=root:system_r:unconfined_t tcontext=system_u:object_r:port_t tclass=socket type=SYSCALL msg=audit(1128050967.120:12221195): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfc003f0 a2=2 a3=1 items=0 pid=10749 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sctp_test" exe="/usr/bin/sctp_test" type=AVC msg=audit(1128050975.796:12243576): avc: denied { name_bind } for pid=10752 comm="sctp_test" src=1234 scontext=root:system_r:unconfined_t tcontext=system_u:object_r:port_t tclass=socket type=AVC msg=audit(1128050975.796:12243576): avc: denied { 0x400000 } for pid=10752 comm="sctp_test" saddr=192.168.16.64 src=1234 scontext=root:system_r:unconfined_t tcontext=system_u:object_r:node_t tclass=socket type=SYSCALL msg=audit(1128050975.796:12243576): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bfd283d0 a2=2 a3=1 items=0 pid=10752 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sctp_test" exe="/usr/bin/sctp_test"
On Thu, 29 Sep 2005, Gregory Maxwell wrote:
type=AVC msg=audit(1128050967.120:12221195): avc: denied { name_bind } for pid=10749 comm="sctp_test" src=1234 scontext=root:system_r:unconfined_t tcontext=system_u:object_r:port_t tclass=socket
SELinux has no protocol-level support for SCTP yet, so the SCTP socket is being classified by SELInux as a generic socket, but still being checked by the protocol-level bind() permissions.
Other parts of the code make assumptions about IP & IPv6 sockets, classifying them as either TCP, UDP or 'RAW' (which is a catch-all for IP protocols notably including ICMP).
We could add a policy entry for unconfined_t to allow name_bind for the socket class, but we'd also hit problems where it defaults to a 'raw' socket.
We can't simply classify SCTP as 'raw', as it has some different semantics, such as multiple local and remote addresses, which we need to investigate and develop proper controls for.
We proably need to rethink the way IP sockets default to 'raw', as new IP protocols are sometimes developed (DCCP has just been implemented) and we don't know that the 'raw' IP controls always appropriate.
- James
On 9/30/05, James Morris jmorris@namei.org wrote:
type=AVC msg=audit(1128050967.120:12221195): avc: denied { name_bind } for pid=10749 comm="sctp_test" src=1234 scontext=root:system_r:unconfined_t tcontext=system_u:object_r:port_t tclass=socket
SELinux has no protocol-level support for SCTP yet, so the SCTP socket is being classified by SELInux as a generic socket, but still being checked by the protocol-level bind() permissions.
Other parts of the code make assumptions about IP & IPv6 sockets, classifying them as either TCP, UDP or 'RAW' (which is a catch-all for IP protocols notably including ICMP).
Ah, makes sense.
We could add a policy entry for unconfined_t to allow name_bind for the socket class, but we'd also hit problems where it defaults to a 'raw' socket.
We can't simply classify SCTP as 'raw', as it has some different semantics, such as multiple local and remote addresses, which we need to investigate and develop proper controls for.
We proably need to rethink the way IP sockets default to 'raw', as new IP protocols are sometimes developed (DCCP has just been implemented) and we don't know that the 'raw' IP controls always appropriate.
In many cases the use of new protocols is so special use that it wouldn't hurt to give apps raw until better support is added. For example, a routing daemon speaking OSPF.
SCTP obviously will need full support, since it will eventually be used as a general purpose transport in many applications and may eventually supplant TCP and UDP in some places. It would be nice if SElinux could step up to controlling the ability to control all address bindings (i.e. application X can only form connections on the secure network), but since they can be added and removed on an active connection that might be interesting.
Is there currently the ability to control IPSec behavior from SElinux (i.e. application X can only use TCP across an encrypted link), if so that might provide some guidance in how to make some of the extra sctp knobs look..
On Fri, 30 Sep 2005, Gregory Maxwell wrote:
We proably need to rethink the way IP sockets default to 'raw', as new IP protocols are sometimes developed (DCCP has just been implemented) and we don't know that the 'raw' IP controls always appropriate.
In many cases the use of new protocols is so special use that it wouldn't hurt to give apps raw until better support is added. For example, a routing daemon speaking OSPF.
Agreed. All of the checks for 'raw' sockets are at the IP level, so hopefully nothing will break.
SCTP obviously will need full support, since it will eventually be used as a general purpose transport in many applications and may eventually supplant TCP and UDP in some places. It would be nice if SElinux could step up to controlling the ability to control all address bindings (i.e. application X can only form connections on the secure network), but since they can be added and removed on an active connection that might be interesting.
Is there currently the ability to control IPSec behavior from SElinux (i.e. application X can only use TCP across an encrypted link), if so that might provide some guidance in how to make some of the extra sctp knobs look..
There's some work heading upstream integrating SELinux and IPSec, check the recent netdev archives.
- James
On Fri, 30 Sep 2005, James Morris wrote:
We can't simply classify SCTP as 'raw', as it has some different semantics, such as multiple local and remote addresses, which we need to investigate and develop proper controls for.
Actually, this does like a viable short term solution until full SCTP support is available. In the case of the extended IP level bind(2) checks, we just check the first/default IP address being bound, which is better than nothing. (We could do a special detection of SCTP in there and avoid this check, but for what gain?)
Please review the following patch.
It changes the SELinux IP socket classification logic, which is currently broken (well, out of date), so that an IPPROTO_IP protocol value passed to socket(2) classify the socket as TCP or UDP. Currently, a SOCK_STREAM with a protocol of IPPROTO_ARBITRARY will default to SECCLASS_TCP_SOCKET. With this patch, it will instead default to SECCLASS_RAWIP_SOCKET, the generic IP socket class.
The patch also drops the check for SOCK_RAW and converts it into a default, so that socket types like SOCK_DCCP and SOCK_SEQPACKET are classified as SECCLASS_RAWIP_SOCKET (instead of generic sockets).
This now causes all SCTP sockets to be classified as SECCLASS_RAWIP_SOCKET.
This patch also unifies the way IP sockets classes are determined in selinux_socket_bind(), so we use the already calculated value instead of trying to recalculate it (which can lead to inconsistencies).
To get SCTP working now in targeted policy, permissions for the rawip_socket classs need to be added to unconfined_domain:
avc: denied { name_bind } for pid=16484 comm="lt-sctp_test" src=3339 scontext=root:system_r:unconfined_t tcontext=system_u:object_r:port_t tclass=rawip_socket
(that should be it, I think).
Comments?
---
security/selinux/hooks.c | 30 ++++++++++++++++++++++++------ 1 files changed, 24 insertions(+), 6 deletions(-)
diff -X dontdiff -purN linux-2.6.14-rc2.s1/security/selinux/hooks.c linux-2.6.14-rc2.t/security/selinux/hooks.c --- linux-2.6.14-rc2.s1/security/selinux/hooks.c 2005-09-24 10:08:25.000000000 -0400 +++ linux-2.6.14-rc2.t/security/selinux/hooks.c 2005-09-30 02:24:44.000000000 -0400 @@ -630,6 +630,16 @@ static inline u16 inode_mode_to_security return SECCLASS_FILE; }
+static inline int default_protocol_stream(int protocol) +{ + return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); +} + +static inline int default_protocol_dgram(int protocol) +{ + return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); +} + static inline u16 socket_type_to_security_class(int family, int type, int protocol) { switch (family) { @@ -646,10 +656,16 @@ static inline u16 socket_type_to_securit case PF_INET6: switch (type) { case SOCK_STREAM: - return SECCLASS_TCP_SOCKET; + if (default_protocol_stream(protocol)) + return SECCLASS_TCP_SOCKET; + else + return SECCLASS_RAWIP_SOCKET; case SOCK_DGRAM: - return SECCLASS_UDP_SOCKET; - case SOCK_RAW: + if (default_protocol_dgram(protocol)) + return SECCLASS_UDP_SOCKET; + else + return SECCLASS_RAWIP_SOCKET; + default: return SECCLASS_RAWIP_SOCKET; } break; @@ -2970,6 +2986,8 @@ static int selinux_socket_bind(struct so
/* * If PF_INET or PF_INET6, check name_bind permission for the port. + * Multiple address binding for SCTP is not supported yet: we just + * check the first address now. */ family = sock->sk->sk_family; if (family == PF_INET || family == PF_INET6) { @@ -3014,12 +3032,12 @@ static int selinux_socket_bind(struct so goto out; } - switch(sk->sk_protocol) { - case IPPROTO_TCP: + switch(isec->sclass) { + case SECCLASS_TCP_SOCKET: node_perm = TCP_SOCKET__NODE_BIND; break; - case IPPROTO_UDP: + case SECCLASS_UDP_SOCKET: node_perm = UDP_SOCKET__NODE_BIND; break;
On Fri, 2005-09-30 at 02:49 -0400, James Morris wrote:
Please review the following patch.
It changes the SELinux IP socket classification logic, which is currently broken (well, out of date), so that an IPPROTO_IP protocol value passed to socket(2) classify the socket as TCP or UDP. Currently, a SOCK_STREAM with a protocol of IPPROTO_ARBITRARY will default to SECCLASS_TCP_SOCKET. With this patch, it will instead default to SECCLASS_RAWIP_SOCKET, the generic IP socket class.
The patch also drops the check for SOCK_RAW and converts it into a default, so that socket types like SOCK_DCCP and SOCK_SEQPACKET are classified as SECCLASS_RAWIP_SOCKET (instead of generic sockets).
This now causes all SCTP sockets to be classified as SECCLASS_RAWIP_SOCKET.
This patch also unifies the way IP sockets classes are determined in selinux_socket_bind(), so we use the already calculated value instead of trying to recalculate it (which can lead to inconsistencies).
To get SCTP working now in targeted policy, permissions for the rawip_socket classs need to be added to unconfined_domain:
avc: denied { name_bind } for pid=16484 comm="lt-sctp_test" src=3339 scontext=root:system_r:unconfined_t tcontext=system_u:object_r:port_t tclass=rawip_socket
(that should be it, I think).
Comments?
security/selinux/hooks.c | 30 ++++++++++++++++++++++++------ 1 files changed, 24 insertions(+), 6 deletions(-)
Looks good.
Signed-off-by: Stephen Smalley sds@tycho.nsa.gov
On Fri, 30 Sep 2005, Stephen Smalley wrote:
Looks good.
Signed-off-by: Stephen Smalley sds@tycho.nsa.gov
Andrew is away for a couple of weeks, so I guess we submit this to Linus as a bugfix.
- James
On Fri, 2005-09-30 at 11:38 -0400, James Morris wrote:
On Fri, 30 Sep 2005, Stephen Smalley wrote:
Looks good.
Signed-off-by: Stephen Smalley sds@tycho.nsa.gov
Andrew is away for a couple of weeks, so I guess we submit this to Linus as a bugfix.
Ok, sounds fine. If he isn't willing to take it into 2.6.14, then I suppose we can workaround it in policy in the interim (at least for unconfined_t, where we can just use '*' as the permission list to allow even the undefined permissions for the generic socket class).
selinux@lists.fedoraproject.org