Bug 725531

Summary: SELinux networking controls not enforced on lower level protocols
Product: [Fedora] Fedora Reporter: Brian Williams <brian.williams7>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 14CC: aquini, dominick.grift, dwalsh, gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda, mgrepl, pmoore
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-23 14:55:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Brian Williams 2011-07-25 19:10:21 UTC 
Description of problem:
Since compat_net was removed from the kernel, there are no controls on low level stuff that doesn't go through SECMARK, such as packet_socket and rawip_socket.

Version-Release number of selected component (if applicable):
N/A

How reproducible: Always


Steps to Reproduce:
1. Install the SELinux policy sources
2. Remove all network permissions from a program such as dhcpc_t from the SELinux policy. (packet, netif, node, port) (comment out every line of policy/modules/system/sysnetwork.te that starts with corenet)
3. Compile and install policy
4. Clear out audit log and reboot computer
  
Actual results: dhcpc works fine and the network interfaces get IPs.


Expected results: dhcpc gets denied access to the network


Additional info: This bug probably exists on Fedora 15 and RHEL6 as well
Comment 1 Josh Boyer 2011-08-23 19:59:40 UTC 
Any thoughts on this Dan?
Comment 2 Daniel Walsh 2011-08-26 18:35:00 UTC 
sesearch -A -s dhcpc_t
Comment 3 Daniel Walsh 2011-08-26 18:39:58 UTC 
I have a feeling you are getting allow rules from another interface.
Comment 4 Paul Moore 2011-08-26 18:44:56 UTC 
There are controls for the "low level stuff", in fact the controls are much more comprehensive than they were in the compat_net days.  What you are looking for are commonly called the SELinux ingress/egress controls and there are a few posts which highlight the basic functionality:

* http://paulmoore.livejournal.com/2128.html
* http://paulmoore.livejournal.com/5536.html

Please keep in mind that SELinux typically only enforces network access controls on AF_INET or AF_INET6 sockets; raw or packet sockets do not have any per-packet access controls.  This is not new, this limitation was present even during the compat_net days as supporting these types of sockets would involve parsing packets by hand in the SELinux code, not something we want to do.

If you want to restrict applications that use raw or packet sockets, you should use the existing SELinux socket permissions.
Comment 5 Brian Williams 2011-08-26 21:19:54 UTC 
In your example for network ingress/egress controls you have a labeling of netif which I didn't think worked anymore since the compat_net code was removed.  Also in RHEL5 I see plenty of denials at the udp level for dhclient (port/node/netif) using compat_net.  I am going to switch my RHEL5 system off of using compat_net and see if I can control the program using the new controls.  I also would like to see if dhclient in RHEL6/FC14 is really switched completely to raw/packet sockets and is totally uncontrollable via SELinux (other than the fact that you can say can network or not with a self perm on the sockets).  If I am misunderstanding something please let me know, I just want to be sure everything works as advertised.
Comment 6 Paul Moore 2011-08-26 21:34:59 UTC 
(In reply to comment #5)
> In your example for network ingress/egress controls you have a labeling of
> netif which I didn't think worked anymore since the compat_net code was
> removed.

It still works, trust me.  If it doesn't, let me know and we'll fix it.

Interface and address labeling was preserved as that is still important, the access controls are what has changed.

> Also in RHEL5 I see plenty of denials at the udp level for dhclient
> (port/node/netif) using compat_net.  I am going to switch my RHEL5 system off
> of using compat_net and see if I can control the program using the new
> controls.

Unfortunately, the ingress/egress controls do not exist in RHEL5 kernels, you need to use a more modern kernel, e.g. RHEL6.

> I also would like to see if dhclient in RHEL6/FC14 is really
> switched completely to raw/packet sockets and is totally uncontrollable via
> SELinux (other than the fact that you can say can network or not with a self
> perm on the sockets).  If I am misunderstanding something please let me know, 
> I just want to be sure everything works as advertised.

Understood.  I can't speak to how dhclient uses the network off the top of my head, but if it uses AF_INET[6] sockets you should be able to apply per-packet access controls via SELinux.  If it uses raw/packet sockets, you're stuck with the per-socket controls.

I'm going to suggest that we close out this BZ and if Brian does find a problem using the new ingress/egress controls he can open a new BZ with the relevant details.  Does that work for everyone?
Comment 7 Paul Moore 2011-09-23 14:47:57 UTC 
Hearing no objections, I'm closing this bug.
Comment 8 Paul Moore 2011-09-23 14:50:35 UTC 
(In reply to comment #7)
> Hearing no objections, I'm closing this bug.

Scratch that, it doesn't look like it will let me.  I assume Brian or Miroslav will need to close this issue.
Comment 9 Brian Williams 2011-09-23 14:55:37 UTC 
dhcpc doesn't use udp packets anymore due to a change in the kernel which now requires a NIC to have an IP address, therefore dhcpc apparently uses packet_sockets which are not controlled by SELinux