headers
Mark Webb | 1 May 2009 05:39
Picon
Gravatar

Re: labeled network aware kernel

racoon comes with ipsec-tools, and there is not much documentation to
go on.  Still working through it though..

On Thu, Apr 30, 2009 at 1:42 PM, Justin Mattock
<justinmattock@...> wrote:
> On Thu, Apr 30, 2009 at 5:01 AM, Stephen Smalley <sds@...> wrote:
>> On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote:
>>> I am working to get the labelled IPSec working, following Josh
>>> Brindle's blog post
>>> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux).
>>>  I just want to get the client and server running on loopback, using a
>>> fully patched Fedora 10 machine.
>>>
>>> I have the following keyfile that I pass into setkey:
>>> ----------
>>> spdflush;
>>>
>>> flush;
>>>
>>> spdadd 127.0.0.1 127.0.0.1 any
>>> -ctx 1 1 "system_u:object_r:default_t:s0"
>>> -P in ipsec esp/transport//require;
>>>
>>> spdadd 127.0.0.1 127.0.0.1 any
>>> -ctx 1 1 "system_u:object_r:default_t:s0"
>>> -P out ipsec esp/transport//require;
>>> ----------
>>>
>>> I enter the following commands:
>>>
(Continue reading)

Permalink | Reply | 1 comment |
headers
Mark Webb | 1 May 2009 06:06
Picon
Gravatar

Re: labeled network aware kernel

Thanks for the help.  I am going to get another machine set up so that
I am not using loopback any more.

After tinkering with things a bit, I found that running the command:

echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm

gets things working.  The other command seemed to disable loopback
communication.

On Thu, Apr 30, 2009 at 8:01 AM, Stephen Smalley <sds@...> wrote:
> On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote:
>> I am working to get the labelled IPSec working, following Josh
>> Brindle's blog post
>> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux).
>>  I just want to get the client and server running on loopback, using a
>> fully patched Fedora 10 machine.
>>
>> I have the following keyfile that I pass into setkey:
>> ----------
>> spdflush;
>>
>> flush;
>>
>> spdadd 127.0.0.1 127.0.0.1 any
>> -ctx 1 1 "system_u:object_r:default_t:s0"
>> -P in ipsec esp/transport//require;
>>
>> spdadd 127.0.0.1 127.0.0.1 any
>> -ctx 1 1 "system_u:object_r:default_t:s0"
(Continue reading)

Permalink | Reply | 0 comments |
headers
Justin Mattock | 1 May 2009 06:23
Picon

Re: labeled network aware kernel

On Thu, Apr 30, 2009 at 8:39 PM, Mark Webb <elihusmails@...> wrote:
> racoon comes with ipsec-tools, and there is not much documentation to
> go on.  Still working through it though..
>
>
> On Thu, Apr 30, 2009 at 1:42 PM, Justin Mattock <justinmattock@...m> wrote:
>> On Thu, Apr 30, 2009 at 5:01 AM, Stephen Smalley <sds@...> wrote:
>>> On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote:
>>>> I am working to get the labelled IPSec working, following Josh
>>>> Brindle's blog post
>>>> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux).
>>>>  I just want to get the client and server running on loopback, using a
>>>> fully patched Fedora 10 machine.
>>>>
>>>> I have the following keyfile that I pass into setkey:
>>>> ----------
>>>> spdflush;
>>>>
>>>> flush;
>>>>
>>>> spdadd 127.0.0.1 127.0.0.1 any
>>>> -ctx 1 1 "system_u:object_r:default_t:s0"
>>>> -P in ipsec esp/transport//require;
>>>>
>>>> spdadd 127.0.0.1 127.0.0.1 any
>>>> -ctx 1 1 "system_u:object_r:default_t:s0"
>>>> -P out ipsec esp/transport//require;
>>>> ----------
>>>>
>>>> I enter the following commands:
(Continue reading)

Permalink | Reply | 0 comments |
headers
Eamon Walsh | 1 May 2009 06:54
Picon

Re: Some ideas in SE-PostgreSQL enhancement (Re: The status of SE-PostgreSQL)

KaiGai Kohei wrote:
> Eamon Walsh wrote:
>   
>> KaiGai Kohei wrote:
>>     
>>> KaiGai Kohei wrote:
>>>   
>>>       
>>>> My preference is the later one:
>>>>   TYPE_TRANSITION <subject context> <server context> : <class> <new context>;
>>>>
>>>> In addition, an idea of configuration file can be considerable to set up
>>>> the default context of database objects, though I considered it is not
>>>> necessary in the past discussion.
>>>> If a user want to work the database server process as an unconfined domain,
>>>> like a legacy "disable_xxxx_trans" boolean doing, the <server context> as
>>>> the target of TYPE_TRANSITION breaks all the correct labeling.
>>>>
>>>> If we have a /etc/selinux/$POLICYTYPE/contexts/db_{sepgsql|rubix}, as follows,
>>>> it can be used to specify the default context of special purpose database
>>>> object such as schemas to store temporary database objects, not only the
>>>> context of database as the root of type transition.
>>>> ------------
>>>> database    *             system_u:object_r:sepgsql_db_t:s0
>>>> schema      pg_temp_*     system_u:object_r:sepgsql_temp_schema_t:s0
>>>>   :             :            :
>>>> ------------
>>>>
>>>> The libselinux has selabel_lookup(3) interface to implement them
>>>> for various kind of objects.
(Continue reading)

Permalink | Reply | 2 comments |
headers
Stephen Smalley | 1 May 2009 13:52
Picon

Re: Fwd: [PATCH] Create $SELINUXTMPDIR in each of the tests

On Thu, 2009-04-30 at 09:22 -0400, Stephen Smalley wrote:
> On Thu, 2009-04-30 at 15:58 +0530, Subrata Modak wrote:
> > On Wed, 2009-04-29 at 22:48 +0200, Jiří Paleček wrote:
> > > On Wed, 29 Apr 2009 21:40:01 +0200, Stephen Smalley <sds <at> tycho.nsa.gov>  
> > > wrote:
> > > 
> > > > On Wed, 2009-04-29 at 21:27 +0200, Jiří Paleček wrote:
> > > >> On Wed, 29 Apr 2009 21:07:38 +0200, Stephen Smalley <sds <at> tycho.nsa.gov>
> > > >> wrote:
> > > >>
> > > >> > On Sun, 2009-04-19 at 00:17 +0530, Subrata Modak wrote:
> > > >> >> Stephen,
> > > >> >>
> > > >> >> Would you like to say something about the following Patch ?
> > > >> >
> > > >> > Yes, it breaks the selinux testsuite for me.  Please revert.
> > > >>
> > > >> How exactly does it break it?
> > > >
> > > > Running it via test_selinux.sh was generating errors like:
> > > > cd: /testcases/bin: No such file or directory
> > > > in selinux.outfile, producing a couple bogus FAILs.
> > > 
> > > This is probably caused by the line setting LTPBIN (which shouldn't have  
> > > been there in the first place, my fault), does the attached patch fix it  
> > > for you?
> > 
> > Nether applied this nor reverted the earlier one in this thread, as
> > conclusion is yet to be made. But, i have to push the release today as i
> > am going for a vacation for a couple of days. But, please send me the
(Continue reading)

Permalink | Reply | 1 comment |
headers
Stephen Smalley | 4 May 2009 21:43
Picon

[PATCH] selinux: Fix send_sigiotask hook

The CRED patch incorrectly converted the SELinux send_sigiotask hook to
use the current task SID rather than the target task SID in its
permission check, yielding the wrong permission check.  This fixes the
hook function.  Detected by the ltp selinux testsuite and confirmed to
correct the test failure.

Signed-off-by:  Stephen Smalley <sds@...>

---

 security/selinux/hooks.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ba808ef..2fcad7c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
 <at>  <at>  -3153,7 +3153,7  <at>  <at>  static int selinux_file_send_sigiotask(struct task_struct *tsk,
 				       struct fown_struct *fown, int signum)
 {
 	struct file *file;
-	u32 sid = current_sid();
+	u32 sid = task_sid(tsk);
 	u32 perm;
 	struct file_security_struct *fsec;

--

-- 
Stephen Smalley
National Security Agency
(Continue reading)

Permalink | Reply | 1 comment |
headers
David Howells | 5 May 2009 14:47
Picon
Favicon

Re: [PATCH] selinux: Fix send_sigiotask hook

Stephen Smalley <sds@...> wrote:

> The CRED patch incorrectly converted the SELinux send_sigiotask hook to
> use the current task SID rather than the target task SID in its
> permission check, yielding the wrong permission check.  This fixes the
> hook function.  Detected by the ltp selinux testsuite and confirmed to
> correct the test failure.
> 
> Signed-off-by:  Stephen Smalley <sds@...>

Acked-by: David Howells <dhowells@...>
Permalink | Reply | 0 comments |
headers
Stephen Smalley | 5 May 2009 15:52
Picon

Re: [LTP] Fwd: [PATCH] Create $SELINUXTMPDIR in each of the tests

On Fri, 2009-05-01 at 07:52 -0400, Stephen Smalley wrote:
> On Thu, 2009-04-30 at 09:22 -0400, Stephen Smalley wrote:
> > On Thu, 2009-04-30 at 15:58 +0530, Subrata Modak wrote:
> > > On Wed, 2009-04-29 at 22:48 +0200, Jiří Paleček wrote:
> > > > On Wed, 29 Apr 2009 21:40:01 +0200, Stephen Smalley <sds@...a.gov>  
> > > > wrote:
> > > > 
> > > > > On Wed, 2009-04-29 at 21:27 +0200, Jiří Paleček wrote:
> > > > >> On Wed, 29 Apr 2009 21:07:38 +0200, Stephen Smalley <sds <at> tycho.nsa.gov>
> > > > >> wrote:
> > > > >>
> > > > >> > On Sun, 2009-04-19 at 00:17 +0530, Subrata Modak wrote:
> > > > >> >> Stephen,
> > > > >> >>
> > > > >> >> Would you like to say something about the following Patch ?
> > > > >> >
> > > > >> > Yes, it breaks the selinux testsuite for me.  Please revert.
> > > > >>
> > > > >> How exactly does it break it?
> > > > >
> > > > > Running it via test_selinux.sh was generating errors like:
> > > > > cd: /testcases/bin: No such file or directory
> > > > > in selinux.outfile, producing a couple bogus FAILs.
> > > > 
> > > > This is probably caused by the line setting LTPBIN (which shouldn't have  
> > > > been there in the first place, my fault), does the attached patch fix it  
> > > > for you?
> > > 
> > > Nether applied this nor reverted the earlier one in this thread, as
> > > conclusion is yet to be made. But, i have to push the release today as i
(Continue reading)

Permalink | Reply | 0 comments |
headers
Stephen Smalley | 5 May 2009 16:10
Picon

[PATCH] Update ltp selinux test script and policy

Note:  This does not obsolete or replace the other two patches I have
posted (Fix LTPBIN definition in selinux_file.sh, Fix MLS handling in
selinux tests), but rather should be applied on top of them.

Attached is a patch and a tar file to update the ltp selinux test script
and policy so that we no longer conditionally patch the test policy when
we run the test script.  The patch does the following:
- Disable patching of the policy in the test script.
- Change the refpolicy Makefile to redirect to a rhel/N/ subdirectory if
running on a redhat release and move the rhel-specific definitions
there.
- Change the refpolicy Makefile to only include test_bounds.te if the
checkpolicy supports policy.24 (and thus typebounds statements).
- Merge the sbin_deprecated.patch into the test policy.
- Further update the test policy to build cleanly on f11, while
preserving backward compatibility on f10.
- Added open permissions as necessary to the test policy (enabled in
f11).
- Update the ioctl test policy to reflect the updated
selinux_file_ioctl() logic in the kernel.
- Added a missing permission to the wait test policy that was causing it
to wrongly report PASS.

The tar file contains a new
testcases/kernel/security/selinux-testsuite/refpolicy/redhat/5
subdirectory to preserve a legacy copy of the test policy that works on
redhat 5.  The top-level refpolicy Makefile will redirect to this
subdirectory when it detects redhat 5.  Similar subdirectories can be
added for other stable releases going forward as needed.
(Continue reading)

Permalink | Reply | 4 comments |
headers
Stephen Smalley | 5 May 2009 16:29
Picon

[PATCH] Update selinux ioctl test

Update the selinux ioctl test in ltp to reflect the revised
selinux_file_ioctl() logic in the kernel.  Also requires the
corresponding ltp selinux test policy update.

Signed-off-by:  Stephen Smalley <sds@...>

---

 testcases/kernel/security/selinux-testsuite/tests/ioctl/selinux_ioctl.c   |   13 +++
 testcases/kernel/security/selinux-testsuite/tests/ioctl/selinux_noioctl.c |   33 ++++++----
 2 files changed, 33 insertions(+), 13 deletions(-)

Index: testcases/kernel/security/selinux-testsuite/tests/ioctl/selinux_ioctl.c
===================================================================
RCS file: /cvsroot/ltp/ltp/testcases/kernel/security/selinux-testsuite/tests/ioctl/selinux_ioctl.c,v
retrieving revision 1.2
diff -u -r1.2 selinux_ioctl.c
--- testcases/kernel/security/selinux-testsuite/tests/ioctl/selinux_ioctl.c	26 Feb 2009
12:02:31 -0000	1.2
+++ testcases/kernel/security/selinux-testsuite/tests/ioctl/selinux_ioctl.c	1 May 2009
13:29:14 -0000
 <at>  <at>  -35,7 +35,7  <at>  <at> 
     exit(1);
   }

-  /* This one should hit the FILE__GETATTR test */
+  /* This one should hit the FILE__IOCTL test */
   rc = ioctl(fd, FIGETBSZ, &val);
   if( rc != 0 ) {
     perror("test_ioctl:FIGETBSZ");
(Continue reading)

Permalink | Reply | 2 comments |

Gmane