Update netlink socket classes.
Define new netlink socket security classes introduced by kernel commit 223ae516404a7a65f09e79a1c0291521c233336e. Note that this does not remove the long-since obsolete netlink_firewall_socket and netlink_ip6_fw_socket classes from refpolicy in case they are still needed for legacy distribution policies. Add the new socket classes to socket_class_set. Update ubac and mls constraints for the new socket classes. Add allow rules for a few specific known cases (netutils, iptables, netlabel, ifconfig, udev) in core policy that require access. Further refinement for the contrib tree will be needed. Any allow rule previously written on :netlink_socket may need to be rewritten or duplicated for one of the more specific classes. For now, we retain the existing :netlink_socket rules for compatibility on older kernels. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley
Chris PeBenito
parent
946d0237d2
commit
58b3029576
|
|
@ -150,6 +150,14 @@ exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
|
|||
exempted_ubac_constraint(appletalk_socket, ubacsock)
|
||||
exempted_ubac_constraint(dccp_socket, ubacsock)
|
||||
exempted_ubac_constraint(tun_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_iscsi_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_fib_lookup_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_connector_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_netfilter_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_generic_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_scsitransport_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_rdma_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_crypto_socket, ubacsock)
|
||||
|
||||
constrain socket_class_set { create relabelto relabelfrom }
|
||||
(
|
||||
|
|
|
|||
|
|
@ -852,6 +852,30 @@ class binder
|
|||
transfer
|
||||
}
|
||||
|
||||
class netlink_iscsi_socket
|
||||
inherits socket
|
||||
|
||||
class netlink_fib_lookup_socket
|
||||
inherits socket
|
||||
|
||||
class netlink_connector_socket
|
||||
inherits socket
|
||||
|
||||
class netlink_netfilter_socket
|
||||
inherits socket
|
||||
|
||||
class netlink_generic_socket
|
||||
inherits socket
|
||||
|
||||
class netlink_scsitransport_socket
|
||||
inherits socket
|
||||
|
||||
class netlink_rdma_socket
|
||||
inherits socket
|
||||
|
||||
class netlink_crypto_socket
|
||||
inherits socket
|
||||
|
||||
class x_pointer
|
||||
inherits x_device
|
||||
|
||||
|
|
|
|||
|
|
@ -125,6 +125,16 @@ class tun_socket
|
|||
|
||||
class binder
|
||||
|
||||
# Updated netlink classes for more recent netlink protocols.
|
||||
class netlink_iscsi_socket
|
||||
class netlink_fib_lookup_socket
|
||||
class netlink_connector_socket
|
||||
class netlink_netfilter_socket
|
||||
class netlink_generic_socket
|
||||
class netlink_scsitransport_socket
|
||||
class netlink_rdma_socket
|
||||
class netlink_crypto_socket
|
||||
|
||||
# Still More SE-X Windows stuff
|
||||
class x_pointer # userspace
|
||||
class x_keyboard # userspace
|
||||
|
|
|
|||
|
|
@ -164,7 +164,7 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
|
|||
#
|
||||
|
||||
# new socket labels must be dominated by the relabeling subjects clearance
|
||||
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
|
||||
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } relabelto
|
||||
( h1 dom h2 );
|
||||
|
||||
# the socket "read+write" ops
|
||||
|
|
@ -180,7 +180,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
|
|||
|
||||
|
||||
# the socket "read" ops (note the check is dominance of the low level)
|
||||
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
|
||||
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { read getattr listen accept getopt recv_msg }
|
||||
(( l1 dom l2 ) or
|
||||
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
|
||||
( t1 == mlsnetread ));
|
||||
|
|
@ -191,7 +191,7 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock
|
|||
( t1 == mlsnetread ));
|
||||
|
||||
# the socket "write" ops
|
||||
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
|
||||
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect setopt shutdown }
|
||||
(( l1 eq l2 ) or
|
||||
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
|
||||
|
|
|
|||
|
|
@ -38,6 +38,8 @@ dontaudit netutils_t self:capability { dac_override sys_tty_config };
|
|||
allow netutils_t self:process { setcap signal_perms };
|
||||
allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow netutils_t self:netlink_socket create_socket_perms;
|
||||
# For tcpdump.
|
||||
allow netutils_t self:netlink_netfilter_socket create_socket_perms;
|
||||
allow netutils_t self:packet_socket create_socket_perms;
|
||||
allow netutils_t self:udp_socket create_socket_perms;
|
||||
allow netutils_t self:tcp_socket create_stream_socket_perms;
|
||||
|
|
|
|||
|
|
@ -35,6 +35,7 @@ dontaudit iptables_t self:capability sys_tty_config;
|
|||
allow iptables_t self:fifo_file rw_fifo_file_perms;
|
||||
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
|
||||
allow iptables_t self:netlink_socket create_socket_perms;
|
||||
allow iptables_t self:netlink_netfilter_socket create_socket_perms;
|
||||
allow iptables_t self:rawip_socket create_socket_perms;
|
||||
|
||||
manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ role system_r types netlabel_mgmt_t;
|
|||
# modify the network subsystem configuration
|
||||
allow netlabel_mgmt_t self:capability net_admin;
|
||||
allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
|
||||
allow netlabel_mgmt_t self:netlink_generic_socket create_socket_perms;
|
||||
|
||||
kernel_read_network_state(netlabel_mgmt_t)
|
||||
|
||||
|
|
|
|||
|
|
@ -274,6 +274,7 @@ allow ifconfig_t self:packet_socket create_socket_perms;
|
|||
# generic netlink socket for iw
|
||||
# socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
|
||||
allow ifconfig_t self:netlink_socket create_socket_perms;
|
||||
allow ifconfig_t self:netlink_generic_socket create_socket_perms;
|
||||
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;
|
||||
allow ifconfig_t self:tcp_socket { create ioctl };
|
||||
|
|
|
|||
|
|
@ -53,6 +53,7 @@ allow udev_t self:unix_stream_socket { listen accept };
|
|||
allow udev_t self:unix_dgram_socket sendto;
|
||||
allow udev_t self:unix_stream_socket connectto;
|
||||
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
allow udev_t self:netlink_generic_socket create_socket_perms;
|
||||
allow udev_t self:rawip_socket create_socket_perms;
|
||||
|
||||
allow udev_t udev_exec_t:file write;
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
|
|||
#
|
||||
# All socket classes.
|
||||
#
|
||||
define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
|
||||
define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
|
||||
|
||||
|
||||
#
|
||||
|
|
|
|||
Loading…
Reference in New Issue