Separate type for AF_UNIX socket created by syslogd_t

HarryCiao <harrytaurus2002@xxxxxxxxxxx> · Thu, 24 Feb 2011 10:44:25 +0000

Hi,

Since syslogd_t runs at mls_systemhigh, both the /dev/log file and the unix_dgram_socket object bond to it are of mls_systemhigh, rendering that other application domain such as klogd_t running at lower security level failed to "sendto" it. One possible solution is to add syslogd_t to mlstrustedobject attribute since the unix_dgram_socket object inherits the creator's SID by default.

However, the side effect is that syslogd_t is also the label for the entire syslogd's procfs entries. The attached two patches are aimed to resolve this problem while eliminating such side effect, by declaring a separate type, syslogd_s_t,  for the unix_dgram_socket object created by syslogd_t which alone could be added to the mlstrustedobject attribute.

Thanks to Stephen's suggestion security_transition_sid() would be called in socket_sockcreate_sid() to query the relevant type_transition rule say in logging.pp for any newly created socket.

After applying th!
 ese two patches below errors don't exist any more:

type=1400 audit(1298535101.654:868): avc:  denied  { sendto } for  pid=385 comm="klogd" path="/dev/log" scontext=system_u:object_r:klogd_t:s0 tcontext=system_u:object_r:syslogd_t:s15:c0.c1023 tclass=unix_dgram_socket

BTW, do we have a way to actually display the label for the unix_dgram_socket that bond to /dev/log?

Any comments is are greatly appreciated!

Thanks a lot!

Best regards,
Harry
 		 	   		  
From e94c680571bda94a724d33384d5345d41d9e9b6a Mon Sep 17 00:00:00 2001
From: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
Date: Thu, 24 Feb 2011 16:23:42 +0800
Subject: [PATCH 1/1] Specify a separate socket type for syslogd_t.

Use a type_transition rule to specify a separate type for unix_dgram_socket
object created by syslogd_t, so that the socket type alone could be added
to the mlstrustedobject attrbute to avoid below error message:

type=1400 audit(1298535101.654:868): avc:  denied  { sendto } for  pid=385 comm="klogd" path="/dev/log" scontext=system_u:object_r:klogd_t:s0 tcontext=system_u:object_r:syslogd_t:s15:c0.c1023 tclass=unix_dgram_socket

This helps to avoid adding syslogd_t to this attribute which also is the
label for all syslogd's procfs contents.

BTW, in SELinux kernel driver the security_transition_sid() should be
called to query above type_transition rule for the newly created socket SID.

Signed-off-by: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
---
 policy/modules/system/logging.if |    4 ++--
 policy/modules/system/logging.te |   11 +++++++++--
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index c7cfb62..92582b0 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -525,14 +525,14 @@ interface(`logging_log_filetrans',`
 #
 interface(`logging_send_syslog_msg',`
 	gen_require(`
-		type syslogd_t, devlog_t;
+		type syslogd_t, syslogd_s_t, devlog_t;
 	')
 
 	allow $1 devlog_t:lnk_file read_lnk_file_perms;
 	allow $1 devlog_t:sock_file write_sock_file_perms;
 
 	# the type of socket depends on the syslog daemon
-	allow $1 syslogd_t:unix_dgram_socket sendto;
+	allow $1 syslogd_s_t:unix_dgram_socket sendto;
 	allow $1 syslogd_t:unix_stream_socket connectto;
 	allow $1 self:unix_dgram_socket create_socket_perms;
 	allow $1 self:unix_stream_socket create_socket_perms;
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 9b5a9ed..2be6748 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -61,6 +61,10 @@ type syslogd_t;
 type syslogd_exec_t;
 init_daemon_domain(syslogd_t, syslogd_exec_t)
 
+# AF_UNIX socket created by syslogd
+type syslogd_s_t;
+mls_trusted_object(syslogd_s_t)
+
 type syslogd_initrc_exec_t;
 init_script_file(syslogd_initrc_exec_t)
 
@@ -344,15 +348,18 @@ dontaudit syslogd_t self:capability sys_tty_config;
 # setrlimit for syslog-ng
 allow syslogd_t self:process { signal_perms setpgid setrlimit };
 # receive messages to be logged
-allow syslogd_t self:unix_dgram_socket create_socket_perms;
+allow syslogd_t syslogd_s_t:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-allow syslogd_t self:unix_dgram_socket sendto;
+allow syslogd_t syslogd_s_t:unix_dgram_socket sendto;
 allow syslogd_t self:fifo_file rw_fifo_file_perms;
 allow syslogd_t self:udp_socket create_socket_perms;
 allow syslogd_t self:tcp_socket create_stream_socket_perms;
 
 allow syslogd_t syslog_conf_t:file read_file_perms;
 
+# AF_UNIX dgram socket created by syslogd_t labeled as syslogd_s_t
+type_transition syslogd_t syslogd_t:unix_dgram_socket syslogd_s_t;
+
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
 files_pid_filetrans(syslogd_t, devlog_t, sock_file)
-- 
1.7.0.4

From f1f85f9335fd716208e2c66cdb614fd04f963c6f Mon Sep 17 00:00:00 2001
From: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
Date: Thu, 24 Feb 2011 13:10:13 +0800
Subject: [PATCH 1/1] Compute socket SID.

Compute SID for the newly created socket, which may be different than
its creator. In relevant policy package a type_transition rule could
be used to specify a discrete type for the socket.

Signed-off-by: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
---
 security/selinux/hooks.c |   22 +++++++++++++++-------
 1 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c8d6992..a5f8d5f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3644,9 +3644,17 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
 
 /* socket security operations */
 
-static u32 socket_sockcreate_sid(const struct task_security_struct *tsec)
+static u32 socket_sockcreate_sid(const struct task_security_struct *tsec,
+				 u16 secclass)
 {
-	return tsec->sockcreate_sid ? : tsec->sid;
+	int rc;
+	u32 socksid;
+
+	rc = security_transition_sid(tsec->sid, tsec->sid, secclass, &socksid);
+	if (rc)
+		return tsec->sockcreate_sid ? : tsec->sid;
+	else
+		return tsec->sockcreate_sid ? : socksid;
 }
 
 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
@@ -3674,8 +3682,8 @@ static int selinux_socket_create(int family, int type,
 	if (kern)
 		return 0;
 
-	newsid = socket_sockcreate_sid(tsec);
 	secclass = socket_type_to_security_class(family, type, protocol);
+	newsid = socket_sockcreate_sid(tsec, secclass);
 	return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
 }
 
@@ -3687,13 +3695,13 @@ static int selinux_socket_post_create(struct socket *sock, int family,
 	struct sk_security_struct *sksec;
 	int err = 0;
 
+	isec->sclass = socket_type_to_security_class(family, type, protocol);
+	isec->initialized = 1;
+
 	if (kern)
 		isec->sid = SECINITSID_KERNEL;
 	else
-		isec->sid = socket_sockcreate_sid(tsec);
-
-	isec->sclass = socket_type_to_security_class(family, type, protocol);
-	isec->initialized = 1;
+		isec->sid = socket_sockcreate_sid(tsec, isec->sclass);
 
 	if (sock->sk) {
 		sksec = sock->sk->sk_security;
-- 
1.7.0.4





