I've had some off-list email exchanges with a few people about SELinux and FreeSWAN, and wanted to summarize the discussion and share a patch to allow the policy to specifically control access to PF_KEY sockets by processes.
One person expressed concern about skipping the access control checks in selinux_sock_rcv_skb for PF_KEY communications. I explained that the standard process-to-socket access controls are implemented using the LSM hooks in the socket layer, so they would still be enforced on PF_KEY communications. The selinux_sock_rcv_skb hook is just to perform mediation on packet receipt at a point where we know the destination socket and the receiving network device information has not yet been cleared. This particular check isn't applicable to PF_KEY communications, which are local.
However, the release doesn't provide a distinct security class for PF_KEY sockets, so the policy would currently view them as just having the general socket class. I've created a patch to SELinux to define a new key_socket security class so that the policy can distinguish such sockets and easily limit what processes can use them. The patch is attached and will be incorporated into future releases. To apply it, save the attached patch to key.patch, cd to selinux, run 'patch -p2 < key.patch', and do a clean build and install of the LSM kernel and the policy.
You'll still need to define a domain in the policy configuration for the IKE daemon and grant it permissions to key_socket objects. One person on the list previously defined a domain for the daemon with the old SELinux prototype and plans to update it for the new prototype plus this patch. Hopefully, he'll share it when he is done, but that's up to him. If not, we'll eventually create one ourselves when we get to integrating SELinux with FreeSWAN.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.comReceived on Mon 27 Aug 2001 - 09:16:02 EDTdiff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/flask/access_vectors nai/selinux/module/selinux_plug/flask/access_vectors --- nsa/selinux/module/selinux_plug/flask/access_vectors Tue Aug 21 08:29:47 2001 +++ nai/selinux/module/selinux_plug/flask/access_vectors Fri Aug 24 16:49:09 2001 @@ -199,6 +199,9 @@ class packet_socket inherits socket +class key_socket +inherits socket + class unix_stream_socket inherits socket { diff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/flask/av_inherit.h nai/selinux/module/selinux_plug/flask/av_inherit.h --- nsa/selinux/module/selinux_plug/flask/av_inherit.h Tue Aug 21 08:32:33 2001 +++ nai/selinux/module/selinux_plug/flask/av_inherit.h Fri Aug 24 16:49:09 2001 @@ -23,6 +23,7 @@
{ SECCLASS_RAWIP_SOCKET, common_socket_perm_to_string, 0x01000000UL },
{ SECCLASS_NETLINK_SOCKET, common_socket_perm_to_string, 0x01000000UL },
{ SECCLASS_PACKET_SOCKET, common_socket_perm_to_string, 0x01000000UL },
+ { SECCLASS_KEY_SOCKET, common_socket_perm_to_string, 0x01000000UL },
{ SECCLASS_UNIX_STREAM_SOCKET, common_socket_perm_to_string, 0x01000000UL },
{ SECCLASS_UNIX_DGRAM_SOCKET, common_socket_perm_to_string, 0x01000000UL },
{ SECCLASS_IPC, common_ipc_perm_to_string, 0x00000200UL },
diff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/flask/av_permissions.h nai/selinux/module/selinux_plug/flask/av_permissions.h --- nsa/selinux/module/selinux_plug/flask/av_permissions.h Tue Aug 21 08:32:33 2001 +++ nai/selinux/module/selinux_plug/flask/av_permissions.h Fri Aug 24 16:49:09 2001 @@ -401,6 +401,31 @@ #define PACKET_SOCKET__RECVFROM 0x00080000UL #define PACKET_SOCKET__GETATTR 0x00000020UL +#define KEY_SOCKET__RELABELTO 0x00000200UL +#define KEY_SOCKET__RECV_MSG 0x00200000UL +#define KEY_SOCKET__RELABELFROM 0x00000100UL +#define KEY_SOCKET__SETOPT 0x00020000UL +#define KEY_SOCKET__APPEND 0x00000800UL +#define KEY_SOCKET__SETATTR 0x00000040UL +#define KEY_SOCKET__SENDTO 0x00100000UL +#define KEY_SOCKET__GETOPT 0x00010000UL +#define KEY_SOCKET__TRANSITION 0x00000400UL +#define KEY_SOCKET__READ 0x00000004UL +#define KEY_SOCKET__POLL 0x00000001UL +#define KEY_SOCKET__SHUTDOWN 0x00040000UL +#define KEY_SOCKET__LISTEN 0x00004000UL +#define KEY_SOCKET__BIND 0x00001000UL +#define KEY_SOCKET__WRITE 0x00000008UL +#define KEY_SOCKET__ACCEPT 0x00008000UL +#define KEY_SOCKET__CONNECT 0x00002000UL +#define KEY_SOCKET__LOCK 0x00000080UL +#define KEY_SOCKET__IOCTL 0x00000002UL +#define KEY_SOCKET__CREATE 0x00000010UL +#define KEY_SOCKET__NAME_BIND 0x00800000UL +#define KEY_SOCKET__SEND_MSG 0x00400000UL +#define KEY_SOCKET__RECVFROM 0x00080000UL +#define KEY_SOCKET__GETATTR 0x00000020UL + #define UNIX_STREAM_SOCKET__RELABELTO 0x00000200UL #define UNIX_STREAM_SOCKET__RECV_MSG 0x00200000UL #define UNIX_STREAM_SOCKET__RELABELFROM 0x00000100UL diff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/flask/class_to_string.h nai/selinux/module/selinux_plug/flask/class_to_string.h --- nsa/selinux/module/selinux_plug/flask/class_to_string.h Fri Jul 20 21:45:51 2001 +++ nai/selinux/module/selinux_plug/flask/class_to_string.h Fri Aug 24 16:49:09 2001 @@ -27,6 +27,7 @@ "netif", "netlink_socket", "packet_socket", + "key_socket", "unix_stream_socket", "unix_dgram_socket", "sem", diff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/flask/flask.h nai/selinux/module/selinux_plug/flask/flask.h --- nsa/selinux/module/selinux_plug/flask/flask.h Wed Aug 1 09:22:45 2001 +++ nai/selinux/module/selinux_plug/flask/flask.h Fri Aug 24 16:49:09 2001 @@ -29,13 +29,14 @@ #define SECCLASS_NETIF 20 #define SECCLASS_NETLINK_SOCKET 21 #define SECCLASS_PACKET_SOCKET 22 -#define SECCLASS_UNIX_STREAM_SOCKET 23 -#define SECCLASS_UNIX_DGRAM_SOCKET 24 -#define SECCLASS_SEM 25 -#define SECCLASS_MSG 26 -#define SECCLASS_MSGQ 27 -#define SECCLASS_SHM 28 -#define SECCLASS_IPC 29 +#define SECCLASS_KEY_SOCKET 23 +#define SECCLASS_UNIX_STREAM_SOCKET 24 +#define SECCLASS_UNIX_DGRAM_SOCKET 25 +#define SECCLASS_SEM 26 +#define SECCLASS_MSG 27 +#define SECCLASS_MSGQ 28 +#define SECCLASS_SHM 29 +#define SECCLASS_IPC 30 /* * Security identifier indices for initial entities diff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/flask/security_classes nai/selinux/module/selinux_plug/flask/security_classes --- nsa/selinux/module/selinux_plug/flask/security_classes Fri Jul 20 21:45:51 2001 +++ nai/selinux/module/selinux_plug/flask/security_classes Fri Aug 24 16:49:09 2001 @@ -30,6 +30,7 @@ class netif class netlink_socket class packet_socket +class key_socket class unix_stream_socket class unix_dgram_socket diff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/include/linux/flask/av_inherit.h nai/selinux/module/selinux_plug/include/linux/flask/av_inherit.h --- nsa/selinux/module/selinux_plug/include/linux/flask/av_inherit.h Tue Aug 21 08:32:33 2001 +++ nai/selinux/module/selinux_plug/include/linux/flask/av_inherit.h Fri Aug 24 16:49:10 2001 @@ -23,6 +23,7 @@
{ SECCLASS_RAWIP_SOCKET, common_socket_perm_to_string, 0x01000000UL },
{ SECCLASS_NETLINK_SOCKET, common_socket_perm_to_string, 0x01000000UL },
{ SECCLASS_PACKET_SOCKET, common_socket_perm_to_string, 0x01000000UL },
+ { SECCLASS_KEY_SOCKET, common_socket_perm_to_string, 0x01000000UL },
{ SECCLASS_UNIX_STREAM_SOCKET, common_socket_perm_to_string, 0x01000000UL },
{ SECCLASS_UNIX_DGRAM_SOCKET, common_socket_perm_to_string, 0x01000000UL },
{ SECCLASS_IPC, common_ipc_perm_to_string, 0x00000200UL },
diff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/include/linux/flask/av_permissions.h nai/selinux/module/selinux_plug/include/linux/flask/av_permissions.h --- nsa/selinux/module/selinux_plug/include/linux/flask/av_permissions.h Tue Aug 21 08:32:33 2001 +++ nai/selinux/module/selinux_plug/include/linux/flask/av_permissions.h Fri Aug 24 16:49:10 2001 @@ -401,6 +401,31 @@ #define PACKET_SOCKET__RECVFROM 0x00080000UL #define PACKET_SOCKET__GETATTR 0x00000020UL +#define KEY_SOCKET__RELABELTO 0x00000200UL +#define KEY_SOCKET__RECV_MSG 0x00200000UL +#define KEY_SOCKET__RELABELFROM 0x00000100UL +#define KEY_SOCKET__SETOPT 0x00020000UL +#define KEY_SOCKET__APPEND 0x00000800UL +#define KEY_SOCKET__SETATTR 0x00000040UL +#define KEY_SOCKET__SENDTO 0x00100000UL +#define KEY_SOCKET__GETOPT 0x00010000UL +#define KEY_SOCKET__TRANSITION 0x00000400UL +#define KEY_SOCKET__READ 0x00000004UL +#define KEY_SOCKET__POLL 0x00000001UL +#define KEY_SOCKET__SHUTDOWN 0x00040000UL +#define KEY_SOCKET__LISTEN 0x00004000UL +#define KEY_SOCKET__BIND 0x00001000UL +#define KEY_SOCKET__WRITE 0x00000008UL +#define KEY_SOCKET__ACCEPT 0x00008000UL +#define KEY_SOCKET__CONNECT 0x00002000UL +#define KEY_SOCKET__LOCK 0x00000080UL +#define KEY_SOCKET__IOCTL 0x00000002UL +#define KEY_SOCKET__CREATE 0x00000010UL +#define KEY_SOCKET__NAME_BIND 0x00800000UL +#define KEY_SOCKET__SEND_MSG 0x00400000UL +#define KEY_SOCKET__RECVFROM 0x00080000UL +#define KEY_SOCKET__GETATTR 0x00000020UL + #define UNIX_STREAM_SOCKET__RELABELTO 0x00000200UL #define UNIX_STREAM_SOCKET__RECV_MSG 0x00200000UL #define UNIX_STREAM_SOCKET__RELABELFROM 0x00000100UL diff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/include/linux/flask/class_to_string.h nai/selinux/module/selinux_plug/include/linux/flask/class_to_string.h --- nsa/selinux/module/selinux_plug/include/linux/flask/class_to_string.h Fri Jul 20 21:45:52 2001 +++ nai/selinux/module/selinux_plug/include/linux/flask/class_to_string.h Fri Aug 24 16:49:10 2001 @@ -27,6 +27,7 @@ "netif", "netlink_socket", "packet_socket", + "key_socket", "unix_stream_socket", "unix_dgram_socket", "sem", diff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/include/linux/flask/flask.h nai/selinux/module/selinux_plug/include/linux/flask/flask.h --- nsa/selinux/module/selinux_plug/include/linux/flask/flask.h Wed Aug 1 09:22:45 2001 +++ nai/selinux/module/selinux_plug/include/linux/flask/flask.h Fri Aug 24 16:49:10 2001 @@ -29,13 +29,14 @@ #define SECCLASS_NETIF 20 #define SECCLASS_NETLINK_SOCKET 21 #define SECCLASS_PACKET_SOCKET 22 -#define SECCLASS_UNIX_STREAM_SOCKET 23 -#define SECCLASS_UNIX_DGRAM_SOCKET 24 -#define SECCLASS_SEM 25 -#define SECCLASS_MSG 26 -#define SECCLASS_MSGQ 27 -#define SECCLASS_SHM 28 -#define SECCLASS_IPC 29 +#define SECCLASS_KEY_SOCKET 23 +#define SECCLASS_UNIX_STREAM_SOCKET 24 +#define SECCLASS_UNIX_DGRAM_SOCKET 25 +#define SECCLASS_SEM 26 +#define SECCLASS_MSG 27 +#define SECCLASS_MSGQ 28 +#define SECCLASS_SHM 29 +#define SECCLASS_IPC 30 /* * Security identifier indices for initial entities diff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/selinux_plug.h nai/selinux/module/selinux_plug/selinux_plug.h --- nsa/selinux/module/selinux_plug/selinux_plug.h Wed Aug 1 12:06:50 2001 +++ nai/selinux/module/selinux_plug/selinux_plug.h Fri Aug 24 16:49:09 2001 @@ -152,6 +152,8 @@ return SECCLASS_NETLINK_SOCKET; case PF_PACKET: return SECCLASS_PACKET_SOCKET; + case PF_KEY: + return SECCLASS_KEY_SOCKET; } return SECCLASS_SOCKET; -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:26 EDT