Hello,
Well I have downloaded the new version and I am Trying to intergrate
freeswan-1.91 into
the kernel.
The kernel compules ok (1 fix for freeswan) the problem is freeswan will not start
I get the error messages
selinux_sock_rcv_skb no net device
Thanks
Mark Westerman
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com>
On Fri, 24 Aug 2001, Westerman, Mark wrote:
> Well I have downloaded the new version and I am Trying to intergrate
> freeswan-1.91 into the kernel.
>
> selinux_sock_rcv_skb no net device
We haven't tried integrating FreeSWAN with LSM/SELinux yet, so I'm not sure what precisely is happening here. Try applying the first attached patch to lsm/net/ipv4/tcp_ipv4.c and see if you still have the same problem. The first patch reverses the order in which the sock_rcv_skb LSM hook and the ipsec_sk_policy function are called). If that doesn't help, then reverse that patch and apply the second attached patch to selinux/module/selinux_plug/hooks.c. The second patch simply changes selinux_sock_rcv_skb to return success even when the skb->dev is NULL, so it may cause a bypass of some of the SELinux network access controls. Let us know how things work out.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.comFrom: Stephen Smalley <sds_at_tislabs.com>Index: net/ipv4/tcp_ipv4.c =================================================================== RCS file: /cvs/lsm/lsm/net/ipv4/tcp_ipv4.c,v retrieving revision 1.2 diff -u -r1.2 tcp_ipv4.c --- net/ipv4/tcp_ipv4.c 2001/08/09 15:13:37 1.2 +++ net/ipv4/tcp_ipv4.c 2001/08/24 15:53:37 @@ -1635,10 +1635,10 @@ goto no_tcp_socket; process: - if(!ipsec_sk_policy(sk,skb)) + if (security_ops->socket_ops->sock_rcv_skb(sk, skb)) goto discard_and_relse; - if (security_ops->socket_ops->sock_rcv_skb(sk, skb)) + if(!ipsec_sk_policy(sk,skb)) goto discard_and_relse; if (sk->state == TCP_TIME_WAIT)
Index: module/selinux_plug/hooks.c =================================================================== RCS file: /cvs/lsm/selinux/module/selinux_plug/hooks.c,v retrieving revision 1.108 diff -u -r1.108 hooks.c --- module/selinux_plug/hooks.c 2001/08/22 19:24:08 1.108 +++ module/selinux_plug/hooks.c 2001/08/24 15:42:33 @@ -3158,8 +3158,7 @@ dev = skb->dev; if (!dev) { - printk("selinux_sock_rcv_skb: no net device!\n"); - return -EACCES; + return 0; } err = netdev_precondition(dev); if (err <= 0) -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
I just looked briefly at the FreeSWAN KLIPS code, and I think the problem is being caused by the call to sock_queue_rcv_skb by the PF_KEY socket code. So the patch to tcp_ipv4.c is probably unnecessary. Just try the patch to hooks.c and see if it works for you. In that case, skipping the network access control checks in selinux_sock_rcv_skb is ok, because it is a kernel-daemon communication.
--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
Stephen Smalley wrote:
>
> On Fri, 24 Aug 2001, Westerman, Mark wrote:
>
> > Well I have downloaded the new version and I am Trying to intergrate
> > freeswan-1.91 into the kernel.
> >
> > selinux_sock_rcv_skb no net device
>
> We haven't tried integrating FreeSWAN with LSM/SELinux yet, ...
Issues related to FreeS/WAN can be raised on, or cc'd to, the FreeS/WAN
mailing lists:
http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/mail.html
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Westerman, Mark <Mark.Westerman_at_csoconline.com>
The hooks.patch work great no problem with starting the Freeswan, I have yet to test it out, I don't foresee any problems yet
Thanks
Mark Westerman
PS. Now I am trying to intergrate the international patch for crypto file system
-----Original Message-----
From: Stephen Smalley [mailto:sds@tislabs.com]
Sent: Friday, August 24, 2001 11:33 AM
To: Westerman, Mark
Cc: 'selinux@tycho.nsa.gov'
Subject: Re: Selinux lsm and Free Swan
I just looked briefly at the FreeSWAN KLIPS code, and I think the problem is being caused by the call to sock_queue_rcv_skb by the PF_KEY socket code. So the patch to tcp_ipv4.c is probably unnecessary. Just try the patch to hooks.c and see if it works for you. In that case, skipping the network access control checks in selinux_sock_rcv_skb is ok, because it is a kernel-daemon communication.
--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
FYI The international patch works, I only had to make a minor modification to the make file.
Mark
-----Original Message-----
From: Stephen Smalley [mailto:sds@tislabs.com]
Sent: Friday, August 24, 2001 11:33 AM
To: Westerman, Mark
Cc: 'selinux@tycho.nsa.gov'
Subject: Re: Selinux lsm and Free Swan
I just looked briefly at the FreeSWAN KLIPS code, and I think the problem is being caused by the call to sock_queue_rcv_skb by the PF_KEY socket code. So the patch to tcp_ipv4.c is probably unnecessary. Just try the patch to hooks.c and see if it works for you. In that case, skipping the network access control checks in selinux_sock_rcv_skb is ok, because it is a kernel-daemon communication.
--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
I've had some off-list email exchanges with a few people about SELinux and FreeSWAN, and wanted to summarize the discussion and share a patch to allow the policy to specifically control access to PF_KEY sockets by processes.
One person expressed concern about skipping the access control checks in selinux_sock_rcv_skb for PF_KEY communications. I explained that the standard process-to-socket access controls are implemented using the LSM hooks in the socket layer, so they would still be enforced on PF_KEY communications. The selinux_sock_rcv_skb hook is just to perform mediation on packet receipt at a point where we know the destination socket and the receiving network device information has not yet been cleared. This particular check isn't applicable to PF_KEY communications, which are local.
However, the release doesn't provide a distinct security class for PF_KEY sockets, so the policy would currently view them as just having the general socket class. I've created a patch to SELinux to define a new key_socket security class so that the policy can distinguish such sockets and easily limit what processes can use them. The patch is attached and will be incorporated into future releases. To apply it, save the attached patch to key.patch, cd to selinux, run 'patch -p2 < key.patch', and do a clean build and install of the LSM kernel and the policy.
You'll still need to define a domain in the policy configuration for the IKE daemon and grant it permissions to key_socket objects. One person on the list previously defined a domain for the daemon with the old SELinux prototype and plans to update it for the new prototype plus this patch. Hopefully, he'll share it when he is done, but that's up to him. If not, we'll eventually create one ourselves when we get to integrating SELinux with FreeSWAN.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.comdiff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/flask/access_vectors nai/selinux/module/selinux_plug/flask/access_vectors --- nsa/selinux/module/selinux_plug/flask/access_vectors Tue Aug 21 08:29:47 2001 +++ nai/selinux/module/selinux_plug/flask/access_vectors Fri Aug 24 16:49:09 2001 @@ -199,6 +199,9 @@ class packet_socket inherits socket +class key_socket +inherits socket + class unix_stream_socket inherits socket { diff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/flask/av_inherit.h nai/selinux/module/selinux_plug/flask/av_inherit.h --- nsa/selinux/module/selinux_plug/flask/av_inherit.h Tue Aug 21 08:32:33 2001 +++ nai/selinux/module/selinux_plug/flask/av_inherit.h Fri Aug 24 16:49:09 2001 @@ -23,6 +23,7 @@
{ SECCLASS_RAWIP_SOCKET, common_socket_perm_to_string, 0x01000000UL },
{ SECCLASS_NETLINK_SOCKET, common_socket_perm_to_string, 0x01000000UL },
{ SECCLASS_PACKET_SOCKET, common_socket_perm_to_string, 0x01000000UL },
+ { SECCLASS_KEY_SOCKET, common_socket_perm_to_string, 0x01000000UL },
{ SECCLASS_UNIX_STREAM_SOCKET, common_socket_perm_to_string, 0x01000000UL },
{ SECCLASS_UNIX_DGRAM_SOCKET, common_socket_perm_to_string, 0x01000000UL },
{ SECCLASS_IPC, common_ipc_perm_to_string, 0x00000200UL },
diff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/flask/av_permissions.h nai/selinux/module/selinux_plug/flask/av_permissions.h --- nsa/selinux/module/selinux_plug/flask/av_permissions.h Tue Aug 21 08:32:33 2001 +++ nai/selinux/module/selinux_plug/flask/av_permissions.h Fri Aug 24 16:49:09 2001 @@ -401,6 +401,31 @@ #define PACKET_SOCKET__RECVFROM 0x00080000UL #define PACKET_SOCKET__GETATTR 0x00000020UL +#define KEY_SOCKET__RELABELTO 0x00000200UL +#define KEY_SOCKET__RECV_MSG 0x00200000UL +#define KEY_SOCKET__RELABELFROM 0x00000100UL +#define KEY_SOCKET__SETOPT 0x00020000UL +#define KEY_SOCKET__APPEND 0x00000800UL +#define KEY_SOCKET__SETATTR 0x00000040UL +#define KEY_SOCKET__SENDTO 0x00100000UL +#define KEY_SOCKET__GETOPT 0x00010000UL +#define KEY_SOCKET__TRANSITION 0x00000400UL +#define KEY_SOCKET__READ 0x00000004UL +#define KEY_SOCKET__POLL 0x00000001UL +#define KEY_SOCKET__SHUTDOWN 0x00040000UL +#define KEY_SOCKET__LISTEN 0x00004000UL +#define KEY_SOCKET__BIND 0x00001000UL +#define KEY_SOCKET__WRITE 0x00000008UL +#define KEY_SOCKET__ACCEPT 0x00008000UL +#define KEY_SOCKET__CONNECT 0x00002000UL +#define KEY_SOCKET__LOCK 0x00000080UL +#define KEY_SOCKET__IOCTL 0x00000002UL +#define KEY_SOCKET__CREATE 0x00000010UL +#define KEY_SOCKET__NAME_BIND 0x00800000UL +#define KEY_SOCKET__SEND_MSG 0x00400000UL +#define KEY_SOCKET__RECVFROM 0x00080000UL +#define KEY_SOCKET__GETATTR 0x00000020UL + #define UNIX_STREAM_SOCKET__RELABELTO 0x00000200UL #define UNIX_STREAM_SOCKET__RECV_MSG 0x00200000UL #define UNIX_STREAM_SOCKET__RELABELFROM 0x00000100UL diff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/flask/class_to_string.h nai/selinux/module/selinux_plug/flask/class_to_string.h --- nsa/selinux/module/selinux_plug/flask/class_to_string.h Fri Jul 20 21:45:51 2001 +++ nai/selinux/module/selinux_plug/flask/class_to_string.h Fri Aug 24 16:49:09 2001 @@ -27,6 +27,7 @@ "netif", "netlink_socket", "packet_socket", + "key_socket", "unix_stream_socket", "unix_dgram_socket", "sem", diff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/flask/flask.h nai/selinux/module/selinux_plug/flask/flask.h --- nsa/selinux/module/selinux_plug/flask/flask.h Wed Aug 1 09:22:45 2001 +++ nai/selinux/module/selinux_plug/flask/flask.h Fri Aug 24 16:49:09 2001 @@ -29,13 +29,14 @@ #define SECCLASS_NETIF 20 #define SECCLASS_NETLINK_SOCKET 21 #define SECCLASS_PACKET_SOCKET 22 -#define SECCLASS_UNIX_STREAM_SOCKET 23 -#define SECCLASS_UNIX_DGRAM_SOCKET 24 -#define SECCLASS_SEM 25 -#define SECCLASS_MSG 26 -#define SECCLASS_MSGQ 27 -#define SECCLASS_SHM 28 -#define SECCLASS_IPC 29 +#define SECCLASS_KEY_SOCKET 23 +#define SECCLASS_UNIX_STREAM_SOCKET 24 +#define SECCLASS_UNIX_DGRAM_SOCKET 25 +#define SECCLASS_SEM 26 +#define SECCLASS_MSG 27 +#define SECCLASS_MSGQ 28 +#define SECCLASS_SHM 29 +#define SECCLASS_IPC 30 /* * Security identifier indices for initial entities diff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/flask/security_classes nai/selinux/module/selinux_plug/flask/security_classes --- nsa/selinux/module/selinux_plug/flask/security_classes Fri Jul 20 21:45:51 2001 +++ nai/selinux/module/selinux_plug/flask/security_classes Fri Aug 24 16:49:09 2001 @@ -30,6 +30,7 @@ class netif class netlink_socket class packet_socket +class key_socket class unix_stream_socket class unix_dgram_socket diff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/include/linux/flask/av_inherit.h nai/selinux/module/selinux_plug/include/linux/flask/av_inherit.h --- nsa/selinux/module/selinux_plug/include/linux/flask/av_inherit.h Tue Aug 21 08:32:33 2001 +++ nai/selinux/module/selinux_plug/include/linux/flask/av_inherit.h Fri Aug 24 16:49:10 2001 @@ -23,6 +23,7 @@
{ SECCLASS_RAWIP_SOCKET, common_socket_perm_to_string, 0x01000000UL },
{ SECCLASS_NETLINK_SOCKET, common_socket_perm_to_string, 0x01000000UL },
{ SECCLASS_PACKET_SOCKET, common_socket_perm_to_string, 0x01000000UL },
+ { SECCLASS_KEY_SOCKET, common_socket_perm_to_string, 0x01000000UL },
{ SECCLASS_UNIX_STREAM_SOCKET, common_socket_perm_to_string, 0x01000000UL },
{ SECCLASS_UNIX_DGRAM_SOCKET, common_socket_perm_to_string, 0x01000000UL },
{ SECCLASS_IPC, common_ipc_perm_to_string, 0x00000200UL },
diff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/include/linux/flask/av_permissions.h nai/selinux/module/selinux_plug/include/linux/flask/av_permissions.h --- nsa/selinux/module/selinux_plug/include/linux/flask/av_permissions.h Tue Aug 21 08:32:33 2001 +++ nai/selinux/module/selinux_plug/include/linux/flask/av_permissions.h Fri Aug 24 16:49:10 2001 @@ -401,6 +401,31 @@ #define PACKET_SOCKET__RECVFROM 0x00080000UL #define PACKET_SOCKET__GETATTR 0x00000020UL +#define KEY_SOCKET__RELABELTO 0x00000200UL +#define KEY_SOCKET__RECV_MSG 0x00200000UL +#define KEY_SOCKET__RELABELFROM 0x00000100UL +#define KEY_SOCKET__SETOPT 0x00020000UL +#define KEY_SOCKET__APPEND 0x00000800UL +#define KEY_SOCKET__SETATTR 0x00000040UL +#define KEY_SOCKET__SENDTO 0x00100000UL +#define KEY_SOCKET__GETOPT 0x00010000UL +#define KEY_SOCKET__TRANSITION 0x00000400UL +#define KEY_SOCKET__READ 0x00000004UL +#define KEY_SOCKET__POLL 0x00000001UL +#define KEY_SOCKET__SHUTDOWN 0x00040000UL +#define KEY_SOCKET__LISTEN 0x00004000UL +#define KEY_SOCKET__BIND 0x00001000UL +#define KEY_SOCKET__WRITE 0x00000008UL +#define KEY_SOCKET__ACCEPT 0x00008000UL +#define KEY_SOCKET__CONNECT 0x00002000UL +#define KEY_SOCKET__LOCK 0x00000080UL +#define KEY_SOCKET__IOCTL 0x00000002UL +#define KEY_SOCKET__CREATE 0x00000010UL +#define KEY_SOCKET__NAME_BIND 0x00800000UL +#define KEY_SOCKET__SEND_MSG 0x00400000UL +#define KEY_SOCKET__RECVFROM 0x00080000UL +#define KEY_SOCKET__GETATTR 0x00000020UL + #define UNIX_STREAM_SOCKET__RELABELTO 0x00000200UL #define UNIX_STREAM_SOCKET__RECV_MSG 0x00200000UL #define UNIX_STREAM_SOCKET__RELABELFROM 0x00000100UL diff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/include/linux/flask/class_to_string.h nai/selinux/module/selinux_plug/include/linux/flask/class_to_string.h --- nsa/selinux/module/selinux_plug/include/linux/flask/class_to_string.h Fri Jul 20 21:45:52 2001 +++ nai/selinux/module/selinux_plug/include/linux/flask/class_to_string.h Fri Aug 24 16:49:10 2001 @@ -27,6 +27,7 @@ "netif", "netlink_socket", "packet_socket", + "key_socket", "unix_stream_socket", "unix_dgram_socket", "sem", diff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/include/linux/flask/flask.h nai/selinux/module/selinux_plug/include/linux/flask/flask.h --- nsa/selinux/module/selinux_plug/include/linux/flask/flask.h Wed Aug 1 09:22:45 2001 +++ nai/selinux/module/selinux_plug/include/linux/flask/flask.h Fri Aug 24 16:49:10 2001 @@ -29,13 +29,14 @@ #define SECCLASS_NETIF 20 #define SECCLASS_NETLINK_SOCKET 21 #define SECCLASS_PACKET_SOCKET 22 -#define SECCLASS_UNIX_STREAM_SOCKET 23 -#define SECCLASS_UNIX_DGRAM_SOCKET 24 -#define SECCLASS_SEM 25 -#define SECCLASS_MSG 26 -#define SECCLASS_MSGQ 27 -#define SECCLASS_SHM 28 -#define SECCLASS_IPC 29 +#define SECCLASS_KEY_SOCKET 23 +#define SECCLASS_UNIX_STREAM_SOCKET 24 +#define SECCLASS_UNIX_DGRAM_SOCKET 25 +#define SECCLASS_SEM 26 +#define SECCLASS_MSG 27 +#define SECCLASS_MSGQ 28 +#define SECCLASS_SHM 29 +#define SECCLASS_IPC 30 /* * Security identifier indices for initial entities diff -X /home/sds/dontdiff -ur nsa/selinux/module/selinux_plug/selinux_plug.h nai/selinux/module/selinux_plug/selinux_plug.h --- nsa/selinux/module/selinux_plug/selinux_plug.h Wed Aug 1 12:06:50 2001 +++ nai/selinux/module/selinux_plug/selinux_plug.h Fri Aug 24 16:49:09 2001 @@ -152,6 +152,8 @@ return SECCLASS_NETLINK_SOCKET; case PF_PACKET: return SECCLASS_PACKET_SOCKET; + case PF_KEY: + return SECCLASS_KEY_SOCKET; } return SECCLASS_SOCKET; -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT