725531 – SELinux networking controls not enforced on lower level protocols

Bug 725531 - SELinux networking controls not enforced on lower level protocols

Summary: SELinux networking controls not enforced on lower level protocols

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	14
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-07-25 19:10 UTC by Brian Williams
Modified:	2011-09-23 14:55 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-09-23 14:55:37 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Brian Williams 2011-07-25 19:10:21 UTC

Description of problem:
Since compat_net was removed from the kernel, there are no controls on low level stuff that doesn't go through SECMARK, such as packet_socket and rawip_socket.

Version-Release number of selected component (if applicable):
N/A

How reproducible: Always


Steps to Reproduce:
1. Install the SELinux policy sources
2. Remove all network permissions from a program such as dhcpc_t from the SELinux policy. (packet, netif, node, port) (comment out every line of policy/modules/system/sysnetwork.te that starts with corenet)
3. Compile and install policy
4. Clear out audit log and reboot computer
  
Actual results: dhcpc works fine and the network interfaces get IPs.


Expected results: dhcpc gets denied access to the network


Additional info: This bug probably exists on Fedora 15 and RHEL6 as well

Comment 1 Josh Boyer 2011-08-23 19:59:40 UTC

Any thoughts on this Dan?

Comment 2 Daniel Walsh 2011-08-26 18:35:00 UTC

sesearch -A -s dhcpc_t

Comment 3 Daniel Walsh 2011-08-26 18:39:58 UTC

I have a feeling you are getting allow rules from another interface.

Comment 4 Paul Moore 2011-08-26 18:44:56 UTC

There are controls for the "low level stuff", in fact the controls are much more comprehensive than they were in the compat_net days.  What you are looking for are commonly called the SELinux ingress/egress controls and there are a few posts which highlight the basic functionality:

* http://paulmoore.livejournal.com/2128.html
* http://paulmoore.livejournal.com/5536.html

Please keep in mind that SELinux typically only enforces network access controls on AF_INET or AF_INET6 sockets; raw or packet sockets do not have any per-packet access controls.  This is not new, this limitation was present even during the compat_net days as supporting these types of sockets would involve parsing packets by hand in the SELinux code, not something we want to do.

If you want to restrict applications that use raw or packet sockets, you should use the existing SELinux socket permissions.

Comment 5 Brian Williams 2011-08-26 21:19:54 UTC

In your example for network ingress/egress controls you have a labeling of netif which I didn't think worked anymore since the compat_net code was removed.  Also in RHEL5 I see plenty of denials at the udp level for dhclient (port/node/netif) using compat_net.  I am going to switch my RHEL5 system off of using compat_net and see if I can control the program using the new controls.  I also would like to see if dhclient in RHEL6/FC14 is really switched completely to raw/packet sockets and is totally uncontrollable via SELinux (other than the fact that you can say can network or not with a self perm on the sockets).  If I am misunderstanding something please let me know, I just want to be sure everything works as advertised.

Comment 6 Paul Moore 2011-08-26 21:34:59 UTC

(In reply to comment #5)
> In your example for network ingress/egress controls you have a labeling of
> netif which I didn't think worked anymore since the compat_net code was
> removed.

It still works, trust me.  If it doesn't, let me know and we'll fix it.

Interface and address labeling was preserved as that is still important, the access controls are what has changed.

> Also in RHEL5 I see plenty of denials at the udp level for dhclient
> (port/node/netif) using compat_net.  I am going to switch my RHEL5 system off
> of using compat_net and see if I can control the program using the new
> controls.

Unfortunately, the ingress/egress controls do not exist in RHEL5 kernels, you need to use a more modern kernel, e.g. RHEL6.

> I also would like to see if dhclient in RHEL6/FC14 is really
> switched completely to raw/packet sockets and is totally uncontrollable via
> SELinux (other than the fact that you can say can network or not with a self
> perm on the sockets).  If I am misunderstanding something please let me know, 
> I just want to be sure everything works as advertised.

Understood.  I can't speak to how dhclient uses the network off the top of my head, but if it uses AF_INET[6] sockets you should be able to apply per-packet access controls via SELinux.  If it uses raw/packet sockets, you're stuck with the per-socket controls.

I'm going to suggest that we close out this BZ and if Brian does find a problem using the new ingress/egress controls he can open a new BZ with the relevant details.  Does that work for everyone?

Comment 7 Paul Moore 2011-09-23 14:47:57 UTC

Hearing no objections, I'm closing this bug.

Comment 8 Paul Moore 2011-09-23 14:50:35 UTC

(In reply to comment #7)
> Hearing no objections, I'm closing this bug.

Scratch that, it doesn't look like it will let me.  I assume Brian or Miroslav will need to close this issue.

Comment 9 Brian Williams 2011-09-23 14:55:37 UTC

dhcpc doesn't use udp packets anymore due to a change in the kernel which now requires a NIC to have an IP address, therefore dhcpc apparently uses packet_sockets which are not controlled by SELinux

Note You need to log in before you can comment on or make changes to this bug.