Mark Webb | 1 May 05:39 2009
Picon

Re: labeled network aware kernel

racoon comes with ipsec-tools, and there is not much documentation to
go on.  Still working through it though..

On Thu, Apr 30, 2009 at 1:42 PM, Justin Mattock
<justinmattock@...> wrote:
> On Thu, Apr 30, 2009 at 5:01 AM, Stephen Smalley <sds@...> wrote:
>> On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote:
>>> I am working to get the labelled IPSec working, following Josh
>>> Brindle's blog post
>>> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux).
>>>  I just want to get the client and server running on loopback, using a
>>> fully patched Fedora 10 machine.
>>>
>>> I have the following keyfile that I pass into setkey:
>>> ----------
>>> spdflush;
>>>
>>> flush;
>>>
>>> spdadd 127.0.0.1 127.0.0.1 any
>>> -ctx 1 1 "system_u:object_r:default_t:s0"
>>> -P in ipsec esp/transport//require;
>>>
>>> spdadd 127.0.0.1 127.0.0.1 any
>>> -ctx 1 1 "system_u:object_r:default_t:s0"
>>> -P out ipsec esp/transport//require;
>>> ----------
>>>
>>> I enter the following commands:
>>>
(Continue reading)

Mark Webb | 1 May 06:06 2009
Picon

Re: labeled network aware kernel

Thanks for the help.  I am going to get another machine set up so that
I am not using loopback any more.

After tinkering with things a bit, I found that running the command:

echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm

gets things working.  The other command seemed to disable loopback
communication.

On Thu, Apr 30, 2009 at 8:01 AM, Stephen Smalley <sds@...> wrote:
> On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote:
>> I am working to get the labelled IPSec working, following Josh
>> Brindle's blog post
>> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux).
>>  I just want to get the client and server running on loopback, using a
>> fully patched Fedora 10 machine.
>>
>> I have the following keyfile that I pass into setkey:
>> ----------
>> spdflush;
>>
>> flush;
>>
>> spdadd 127.0.0.1 127.0.0.1 any
>> -ctx 1 1 "system_u:object_r:default_t:s0"
>> -P in ipsec esp/transport//require;
>>
>> spdadd 127.0.0.1 127.0.0.1 any
>> -ctx 1 1 "system_u:object_r:default_t:s0"
(Continue reading)

Justin Mattock | 1 May 06:23 2009
Picon

Re: labeled network aware kernel

On Thu, Apr 30, 2009 at 8:39 PM, Mark Webb <elihusmails@...> wrote:
> racoon comes with ipsec-tools, and there is not much documentation to
> go on.  Still working through it though..
>
>
> On Thu, Apr 30, 2009 at 1:42 PM, Justin Mattock <justinmattock@...m> wrote:
>> On Thu, Apr 30, 2009 at 5:01 AM, Stephen Smalley <sds@...> wrote:
>>> On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote:
>>>> I am working to get the labelled IPSec working, following Josh
>>>> Brindle's blog post
>>>> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux).
>>>>  I just want to get the client and server running on loopback, using a
>>>> fully patched Fedora 10 machine.
>>>>
>>>> I have the following keyfile that I pass into setkey:
>>>> ----------
>>>> spdflush;
>>>>
>>>> flush;
>>>>
>>>> spdadd 127.0.0.1 127.0.0.1 any
>>>> -ctx 1 1 "system_u:object_r:default_t:s0"
>>>> -P in ipsec esp/transport//require;
>>>>
>>>> spdadd 127.0.0.1 127.0.0.1 any
>>>> -ctx 1 1 "system_u:object_r:default_t:s0"
>>>> -P out ipsec esp/transport//require;
>>>> ----------
>>>>
>>>> I enter the following commands:
(Continue reading)

Eamon Walsh | 1 May 06:54 2009
Picon

Re: Some ideas in SE-PostgreSQL enhancement (Re: The status of SE-PostgreSQL)

KaiGai Kohei wrote:
> Eamon Walsh wrote:
>   
>> KaiGai Kohei wrote:
>>     
>>> KaiGai Kohei wrote:
>>>   
>>>       
>>>> My preference is the later one:
>>>>   TYPE_TRANSITION <subject context> <server context> : <class> <new context>;
>>>>
>>>> In addition, an idea of configuration file can be considerable to set up
>>>> the default context of database objects, though I considered it is not
>>>> necessary in the past discussion.
>>>> If a user want to work the database server process as an unconfined domain,
>>>> like a legacy "disable_xxxx_trans" boolean doing, the <server context> as
>>>> the target of TYPE_TRANSITION breaks all the correct labeling.
>>>>
>>>> If we have a /etc/selinux/$POLICYTYPE/contexts/db_{sepgsql|rubix}, as follows,
>>>> it can be used to specify the default context of special purpose database
>>>> object such as schemas to store temporary database objects, not only the
>>>> context of database as the root of type transition.
>>>> ------------
>>>> database    *             system_u:object_r:sepgsql_db_t:s0
>>>> schema      pg_temp_*     system_u:object_r:sepgsql_temp_schema_t:s0
>>>>   :             :            :
>>>> ------------
>>>>
>>>> The libselinux has selabel_lookup(3) interface to implement them
>>>> for various kind of objects.
(Continue reading)

Stephen Smalley | 1 May 13:52 2009
Picon

Re: Fwd: [PATCH] Create $SELINUXTMPDIR in each of the tests

On Thu, 2009-04-30 at 09:22 -0400, Stephen Smalley wrote:
> On Thu, 2009-04-30 at 15:58 +0530, Subrata Modak wrote:
> > On Wed, 2009-04-29 at 22:48 +0200, Jiří Paleček wrote:
> > > On Wed, 29 Apr 2009 21:40:01 +0200, Stephen Smalley <sds <at> tycho.nsa.gov>  
> > > wrote:
> > > 
> > > > On Wed, 2009-04-29 at 21:27 +0200, Jiří Paleček wrote:
> > > >> On Wed, 29 Apr 2009 21:07:38 +0200, Stephen Smalley <sds <at> tycho.nsa.gov>
> > > >> wrote:
> > > >>
> > > >> > On Sun, 2009-04-19 at 00:17 +0530, Subrata Modak wrote:
> > > >> >> Stephen,
> > > >> >>
> > > >> >> Would you like to say something about the following Patch ?
> > > >> >
> > > >> > Yes, it breaks the selinux testsuite for me.  Please revert.
> > > >>
> > > >> How exactly does it break it?
> > > >
> > > > Running it via test_selinux.sh was generating errors like:
> > > > cd: /testcases/bin: No such file or directory
> > > > in selinux.outfile, producing a couple bogus FAILs.
> > > 
> > > This is probably caused by the line setting LTPBIN (which shouldn't have  
> > > been there in the first place, my fault), does the attached patch fix it  
> > > for you?
> > 
> > Nether applied this nor reverted the earlier one in this thread, as
> > conclusion is yet to be made. But, i have to push the release today as i
> > am going for a vacation for a couple of days. But, please send me the
(Continue reading)

Stephen Smalley | 4 May 21:43 2009
Picon

[PATCH] selinux: Fix send_sigiotask hook

The CRED patch incorrectly converted the SELinux send_sigiotask hook to
use the current task SID rather than the target task SID in its
permission check, yielding the wrong permission check.  This fixes the
hook function.  Detected by the ltp selinux testsuite and confirmed to
correct the test failure.

Signed-off-by:  Stephen Smalley <sds@...>

---

 security/selinux/hooks.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ba808ef..2fcad7c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
 <at>  <at>  -3153,7 +3153,7  <at>  <at>  static int selinux_file_send_sigiotask(struct task_struct *tsk,
 				       struct fown_struct *fown, int signum)
 {
 	struct file *file;
-	u32 sid = current_sid();
+	u32 sid = task_sid(tsk);
 	u32 perm;
 	struct file_security_struct *fsec;

--

-- 
Stephen Smalley
National Security Agency

(Continue reading)

David Howells | 5 May 14:47 2009
Picon

Re: [PATCH] selinux: Fix send_sigiotask hook

Stephen Smalley <sds@...> wrote:

> The CRED patch incorrectly converted the SELinux send_sigiotask hook to
> use the current task SID rather than the target task SID in its
> permission check, yielding the wrong permission check.  This fixes the
> hook function.  Detected by the ltp selinux testsuite and confirmed to
> correct the test failure.
> 
> Signed-off-by:  Stephen Smalley <sds@...>

Acked-by: David Howells <dhowells@...>

Stephen Smalley | 5 May 15:52 2009
Picon

Re: [LTP] Fwd: [PATCH] Create $SELINUXTMPDIR in each of the tests

On Fri, 2009-05-01 at 07:52 -0400, Stephen Smalley wrote:
> On Thu, 2009-04-30 at 09:22 -0400, Stephen Smalley wrote:
> > On Thu, 2009-04-30 at 15:58 +0530, Subrata Modak wrote:
> > > On Wed, 2009-04-29 at 22:48 +0200, Jiří Paleček wrote:
> > > > On Wed, 29 Apr 2009 21:40:01 +0200, Stephen Smalley <sds@...a.gov>  
> > > > wrote:
> > > > 
> > > > > On Wed, 2009-04-29 at 21:27 +0200, Jiří Paleček wrote:
> > > > >> On Wed, 29 Apr 2009 21:07:38 +0200, Stephen Smalley <sds <at> tycho.nsa.gov>
> > > > >> wrote:
> > > > >>
> > > > >> > On Sun, 2009-04-19 at 00:17 +0530, Subrata Modak wrote:
> > > > >> >> Stephen,
> > > > >> >>
> > > > >> >> Would you like to say something about the following Patch ?
> > > > >> >
> > > > >> > Yes, it breaks the selinux testsuite for me.  Please revert.
> > > > >>
> > > > >> How exactly does it break it?
> > > > >
> > > > > Running it via test_selinux.sh was generating errors like:
> > > > > cd: /testcases/bin: No such file or directory
> > > > > in selinux.outfile, producing a couple bogus FAILs.
> > > > 
> > > > This is probably caused by the line setting LTPBIN (which shouldn't have  
> > > > been there in the first place, my fault), does the attached patch fix it  
> > > > for you?
> > > 
> > > Nether applied this nor reverted the earlier one in this thread, as
> > > conclusion is yet to be made. But, i have to push the release today as i
(Continue reading)

Stephen Smalley | 5 May 16:10 2009
Picon

[PATCH] Update ltp selinux test script and policy

Note:  This does not obsolete or replace the other two patches I have
posted (Fix LTPBIN definition in selinux_file.sh, Fix MLS handling in
selinux tests), but rather should be applied on top of them.

Attached is a patch and a tar file to update the ltp selinux test script
and policy so that we no longer conditionally patch the test policy when
we run the test script.  The patch does the following:
- Disable patching of the policy in the test script.
- Change the refpolicy Makefile to redirect to a rhel/N/ subdirectory if
running on a redhat release and move the rhel-specific definitions
there.
- Change the refpolicy Makefile to only include test_bounds.te if the
checkpolicy supports policy.24 (and thus typebounds statements).
- Merge the sbin_deprecated.patch into the test policy.
- Further update the test policy to build cleanly on f11, while
preserving backward compatibility on f10.
- Added open permissions as necessary to the test policy (enabled in
f11).
- Update the ioctl test policy to reflect the updated
selinux_file_ioctl() logic in the kernel.
- Added a missing permission to the wait test policy that was causing it
to wrongly report PASS.

The tar file contains a new
testcases/kernel/security/selinux-testsuite/refpolicy/redhat/5
subdirectory to preserve a legacy copy of the test policy that works on
redhat 5.  The top-level refpolicy Makefile will redirect to this
subdirectory when it detects redhat 5.  Similar subdirectories can be
added for other stable releases going forward as needed.

(Continue reading)

Stephen Smalley | 5 May 16:29 2009
Picon

[PATCH] Update selinux ioctl test

Update the selinux ioctl test in ltp to reflect the revised
selinux_file_ioctl() logic in the kernel.  Also requires the
corresponding ltp selinux test policy update.

Signed-off-by:  Stephen Smalley <sds@...>

---

 testcases/kernel/security/selinux-testsuite/tests/ioctl/selinux_ioctl.c   |   13 +++
 testcases/kernel/security/selinux-testsuite/tests/ioctl/selinux_noioctl.c |   33 ++++++----
 2 files changed, 33 insertions(+), 13 deletions(-)

Index: testcases/kernel/security/selinux-testsuite/tests/ioctl/selinux_ioctl.c
===================================================================
RCS file: /cvsroot/ltp/ltp/testcases/kernel/security/selinux-testsuite/tests/ioctl/selinux_ioctl.c,v
retrieving revision 1.2
diff -u -r1.2 selinux_ioctl.c
--- testcases/kernel/security/selinux-testsuite/tests/ioctl/selinux_ioctl.c	26 Feb 2009
12:02:31 -0000	1.2
+++ testcases/kernel/security/selinux-testsuite/tests/ioctl/selinux_ioctl.c	1 May 2009
13:29:14 -0000
 <at>  <at>  -35,7 +35,7  <at>  <at> 
     exit(1);
   }

-  /* This one should hit the FILE__GETATTR test */
+  /* This one should hit the FILE__IOCTL test */
   rc = ioctl(fd, FIGETBSZ, &val);
   if( rc != 0 ) {
     perror("test_ioctl:FIGETBSZ");
(Continue reading)


Gmane