From: Linda K. <lin...@hp...> - 2011-06-03 00:09:01
|
Add netlabel rules to automatically label unlabeled traffic and test policy to go along with that. I'm not sure all the policy is necessary but its what I'm running so I'll add it for now. With these rules and this policy, I'm able to use ssh from a non-mls host. We could certainly tighten these rules to only label traffic from specific IP addresses or ports if we need to. It would just mean each tester would have to customize his/her configuration. Also bumped the policy revision to use all the digits. Signed-off-by: Linda Knippers <ljk@bluefish.(none)> --- audit/network/system/netlabel.rules | 5 ++++ audit/utils/selinux-policy/lspp_test.te | 41 ++++++++++++++++++++++++++++++- 2 files changed, 45 insertions(+), 1 deletions(-) diff --git a/audit/network/system/netlabel.rules b/audit/network/system/netlabel.rules index 35a09bc..fe58bd8 100644 --- a/audit/network/system/netlabel.rules +++ b/audit/network/system/netlabel.rules @@ -4,6 +4,11 @@ # LSPP Test Configuration ###################################################################### +# Default labels + +unlbl add default address:0.0.0.0/0 label:system_u:object_r:unlabeled_t:s0 +unlbl add default address:::/0 label:system_u:object_r:unlabeled_t:s0 + # CIPSO DOI definition cipsov4 add pass doi:100 tags:1 diff --git a/audit/utils/selinux-policy/lspp_test.te b/audit/utils/selinux-policy/lspp_test.te index 0a6b07b..2aa60e6 100644 --- a/audit/utils/selinux-policy/lspp_test.te +++ b/audit/utils/selinux-policy/lspp_test.te @@ -32,7 +32,7 @@ define(`ROLES_ALL',`sysadm_r secadm_r auditadm_r staff_r') # the policy_module() and gen_require() statements. # -policy_module(lspp_test,0.6.2) +policy_module(lspp_test,6.2.1) # we really shouldn't be accessing these policy constructs directly but there # isn't always a policy interface available for what we want to do, so just @@ -46,6 +46,9 @@ gen_require(` type auditd_t, inetd_t, initrc_t, passwd_t; # objects type auditd_log_t, sysadm_lpr_t, ipsec_spd_t; + # more objects for network controls + type lo_netif_t, netif_t, node_t, unlabeled_t, netlabel_peer_t; + type kernel_t, inetd_t, sshd_t, ping_t; ') ### @@ -269,3 +272,39 @@ unconfined_domain_noaudit(lspp_test_ipsec_t) # give the test domain the ability to match against the SPD entries allow lspp_test_ipsec_t ipsec_spd_t:association polmatch; + + +# network controls for interfaces + +allow unlabeled_t lo_netif_t:netif ingress; +allow unlabeled_t unlabeled_t:netif ingress; +allow netlabel_peer_t netif_t:netif ingress; +allow netlabel_peer_t unlabeled_t:netif ingress; +allow netlabel_peer_t node_t:node recvfrom; +allow kernel_t unlabeled_t:netif egress; + +# network controls for the test harness and tests + +allow lspp_harness_t unlabeled_t:netif egress; +allow lspp_harness_t netlabel_peer_t:peer recv; + +allow lspp_test_ipsec_t unlabeled_t:netif egress; +allow lspp_test_ipsec_t netlabel_peer_t:peer recv; + +allow lspp_test_generic_t unlabeled_t:netif egress; +allow lspp_test_generic_t netlabel_peer_t:peer recv; + +allow lspp_test_netlabel_t unlabeled_t:netif egress; +allow lspp_test_netlabel_t netlabel_peer_t:peer recv; + +# network controls for specific daemons and controls + +allow inetd_t lo_netif_t:netif egress; +allow inetd_t unlabeled_t:netif egress; + +allow sshd_t unlabeled_t:peer recv; +allow sshd_t unlabeled_t:netif egress; +allow unlabeled_t sshd_t:netif egress; + +allow ping_t unlabeled_t:netif egress; +allow unlabeled_t ping_t:netif egress; -- 1.6.2.5 |