RE: Howto transition socket

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Martin,

> Date: Mon, 1 Aug 2011 17:45:48 +0200
> From: martin.christian@xxxxxxxxxxx
> To: selinux@xxxxxxxxxxxxx
> Subject: Howto transition socket
>
> Hi,
>
> excuse this very basic question: How can I define a transition for a socket?
>
> Let's assume I've got a process p with label u_t, denoted as p:u_t. The
> process opens a listening tcp socket s on port 80 (e. g. nc -l -p 80).
> As far as I understood, s would get the label from the process: s:u_t.
> However, I would like the socket to have label o_t. Hence, I define a
> transition:
>
> (u, u) -> o
>
> or in policy syntax;
>
> type_transition u_t u_t:tcp_socket o_t;

Generally speaking, the type_transition rule for socket so that it would have a separate type than its creator works like this. However, other than this type_transition rule, you would also have to grant other ne! cessary allow rules so that the creator could create and use this new socket type, such as:

allow u_t o_t : tcp_socket { create_socket_perms, sendto, .... };

and have the process role able to type with this socket type:

role <process's role> types o_t;

Then you could verify the socket type by the compute_create command, see below example.

I have attached my refpolicy patch to have the unix_dgram_socket created by syslogd_t to be labeled as syslogd_s_t, hope that helps :-)

Cheers,
Harry


[root/sysadm_r/s0@~]# compute_create system_u:system_r:syslogd_t:s15:c0.c1023 system_u:system_r:syslogd_t:s15:c0.c1023 unix_dgram_socket

system_u:system_r:syslogd_s_t:s15:c0.c1023

[root/sysadm_r/s0@~]#



>
> But this doesn't seem to work. Any ideas?
>
> Regards,
>
> Martin.
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> the words "unsubscribe selinux" without quotes as the message.
commit 36505160dc1274e2bec2fbb854a39b8d2891d08c
Author: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
Date:   Thu Feb 24 16:23:42 2011 +0800

    Specify a separate socket type for syslogd_t.
    
    Use a type_transition rule to specify a separate type for unix_dgram_socket
    object created by syslogd_t, so that the socket type alone could be added
    to the mlstrustedobject attrbute to avoid below error message:
    
    type=1400 audit(1298535101.654:868): avc:  denied  { sendto } for  pid=385 comm="klogd" path="/dev/log" scontext=system_u:object_r:klogd_t:s0 tcontext=system_u:object_r:syslogd_t:s15:c0.c1023 tclass=unix_dgram_socket
    
    This helps to avoid adding syslogd_t to this attribute which also is the
    label for all syslogd's procfs contents.
    
    BTW, in SELinux kernel driver the security_transition_sid() should be
    called to query above type_transition rule for the newly created socket,
    which will retain the same user, role and MLS attribute as its creator.

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 831b909..0cab32c 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -525,14 +525,14 @@ interface(`logging_log_filetrans',`
 #
 interface(`logging_send_syslog_msg',`
 	gen_require(`
-		type syslogd_t, devlog_t;
+		type syslogd_t, syslogd_s_t, devlog_t;
 	')
 
 	allow $1 devlog_t:lnk_file read_lnk_file_perms;
 	allow $1 devlog_t:sock_file write_sock_file_perms;
 
 	# the type of socket depends on the syslog daemon
-	allow $1 syslogd_t:unix_dgram_socket sendto;
+	allow $1 syslogd_s_t:unix_dgram_socket sendto;
 	allow $1 syslogd_t:unix_stream_socket connectto;
 	allow $1 self:unix_dgram_socket create_socket_perms;
 	allow $1 self:unix_stream_socket create_socket_perms;
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index b6ec597..6804dcf 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -65,6 +65,13 @@ type syslogd_t;
 type syslogd_exec_t;
 init_daemon_domain(syslogd_t, syslogd_exec_t)
 
+# PF_UNIX socket created by syslogd.
+# Any socket will retain the same user, role and MLS attribute as
+# its creator, thus the creator's role needs to type the socket type.
+type syslogd_s_t;
+role system_r types syslogd_s_t;
+mls_trusted_object(syslogd_s_t)
+
 type syslogd_initrc_exec_t;
 init_script_file(syslogd_initrc_exec_t)
 
@@ -360,15 +367,18 @@ dontaudit syslogd_t self:capability sys_tty_config;
 # setrlimit for syslog-ng
 allow syslogd_t self:process { signal_perms setpgid setrlimit };
 # receive messages to be logged
-allow syslogd_t self:unix_dgram_socket create_socket_perms;
+allow syslogd_t syslogd_s_t:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-allow syslogd_t self:unix_dgram_socket sendto;
+allow syslogd_t syslogd_s_t:unix_dgram_socket sendto;
 allow syslogd_t self:fifo_file rw_fifo_file_perms;
 allow syslogd_t self:udp_socket create_socket_perms;
 allow syslogd_t self:tcp_socket create_stream_socket_perms;
 
 allow syslogd_t syslog_conf_t:file read_file_perms;
 
+# PF_UNIX dgram socket created by syslogd_t labeled as syslogd_s_t
+type_transition syslogd_t syslogd_t:unix_dgram_socket syslogd_s_t;
+
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
 files_pid_filetrans(syslogd_t, devlog_t, sock_file)
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux