tun/tap and SE Linux in 2.6.32

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

----------  Forwarded Message  ----------

Subject: selinux permissive blocking tun/tap device creation in v2.6.32
Date: Wed, 9 Dec 2009
From: Andrew Worsley <amworsley@xxxxxxxxx>
To: luv-main@xxxxxxxxxx

I upgraded to the v2.6.32 kernel and I found tunctl would fail with
the  ioctl TUNSETIFF rejected with an EINVAL. A real pain when running
vpn and kvms which use these.

I don't know where to go from this - so directions as to where to post
/ look would be appreciated but at least I can now create tap
interfaces.

I am looking for suggestions where I should post this to find a fix or
other better work around than merely commenting out this code...

   Andrew

I eventually traced this via recompiling the tun module with tracing
to this code:


            printk(KERN_INFO "tun: tun_set_iff () 10\n");
                if (!capable(CAP_NET_ADMIN))
                        return -EPERM;
            printk(KERN_INFO "tun: tun_set_iff () 11\n");
#if 0
                err = security_tun_dev_create();
                if (err < 0)
                        return err;
#endif

            printk(KERN_INFO "tun: tun_set_iff () 12\n");
                /* Set dev type */
                if (ifr->ifr_flags & IFF_TUN) {
                        /* TUN device */

in drivers/net/tun.c (commenting out the above allows the tunctl
command to work!)

Tracing this back a bit I think it's this code:

int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
                 u32 requested, struct common_audit_data *auditdata)
{
        struct av_decision avd;
        int rc;

        rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd);
        avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata);
        return rc;
}

in security/selinux/avc.c which doesn't check for permissive mode or
sellinux disabled as other code in the same file appears to.

I believe this is called from:

static int selinux_tun_dev_create(void)
{
        u32 sid = current_sid();

        /* we aren't taking into account the "sockcreate" SID since the socket
         * that is being created here is not a socket in the traditional 
sense,
         * instead it is a private sock, accessible only to the kernel, and
         * representing a wide range of network traffic spanning multiple
         * connections unlike traditional sockets - check the TUN driver to
         * get a better understanding of why this socket is special */

        return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
                            NULL);
}
 in security/selinux/hooks.c

-------------------------------------------------------

-- 
russell@xxxxxxxxxxxx
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux