Re: The art of breaking userspace (was Re: [GIT] SELinux changes for 2.6.23 (updated))
On Friday, July 13 2007 3:29:23 pm Stephen Smalley wrote: > Agreed, it needs to be fixed in the netlabel code. For anyone interested, and for the sake of completeness, an updated patch[set] has been posted to the SELinux mailing list for review. The new patchset is designed to fix the problem that Michal reported. -- paul moore linux security @ hp - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: The art of breaking userspace (was Re: [GIT] SELinux changes for 2.6.23 (updated))
-Original Message-
From: Stephen Smalley <[EMAIL PROTECTED]>
Date: Friday, Jul 13, 2007 3:30 pm
Subject: Re: The art of breaking userspace (was Re: [GIT] SELinux changes
for 2.6.23 (updated))
To: Michal Piotrowski <[EMAIL PROTECTED]>
CC: Paul Moore <[EMAIL PROTECTED]>, [EMAIL PROTECTED], [EMAIL PROTECTED],
linux-kernel@vger.kernel.org
On Fri, 2007-07-13 at 21:08 +0200, Michal Piotrowski wrote:
> Paul Moore pisze:
> [..]
> > On Fri, 13 Jul 2007, Michal Piotrowski wrote:
> >> My system is too secure, I can not login :)
> >>
> >> Do you have CONFIG_NETLABEL=y ?
> >>
> >> If so, please try disabling it.
> >
> > Disabling NetLabel should solve the problem.
>
> Disabling NetLabel solves the problem.
>
> > The recommended solution to this problem, as discussed on the SELinux list
> > and mentioned in the patch description, is to upgrade your SELinux policy
> > to the latest Reference Policy sources. For those with custom SELinux
> > policy, the patch description explains the changes to the SELinux policy
> > required.
>
> I'm sorry to say this, but this kind of patches should not be accepted.
>
> Patch
>
> commit 9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0
> Author: Paul Moore <[EMAIL PROTECTED]>
> Date: Fri Jun 29 11:48:16 2007 -0400
>
> SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for
> NetLabel
>
> These changes will make NetLabel behave like labeled IPsec where there is
> an
> access check for both labeled and unlabeled packets as well as providing
> the
> ability to restrict domains to receiving only labeled packets when
> NetLabel
> is in use. The changes to the policy are straight forward with the
> following necessary to receive labeled traffic (with SECINITSID_NETMSG
> defined as "netlabel_peer_t"):
>
> allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket }
> recvfrom;
>
> The policy for unlabeled traffic would be:
>
> allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket }
> recvfrom;
>
> These policy changes, as well as more general NetLabel support, are
> included
> in the SELinux Reference Policy SVN tree, r2352 or later. Users who
> enable
> NetLabel support in the kernel are strongly encouraged to upgrade their
> policy to avoid network problems.
>
> Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
> Signed-off-by: James Morris <[EMAIL PROTECTED]>
>
>
> breaks systems with recent selinux policy.
>
> (rpm -qa selinux-policy-*
> selinux-policy-devel-2.6.4-25.fc7
> selinux-policy-targeted-2.6.4-25.fc7)
>
> I will add this as a regression unless Linus says "Fsck it! We don't care
> about compatibility"
>
>Agreed, it needs to be fixed in the netlabel code.
I'm stuck in the airport right now but I will send a patch out later tonight.
. paul moore
. linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: The art of breaking userspace (was Re: [GIT] SELinux changes for 2.6.23 (updated))
On Fri, 2007-07-13 at 21:08 +0200, Michal Piotrowski wrote:
> Paul Moore pisze:
> [..]
> > On Fri, 13 Jul 2007, Michal Piotrowski wrote:
> >> My system is too secure, I can not login :)
> >>
> >> Do you have CONFIG_NETLABEL=y ?
> >>
> >> If so, please try disabling it.
> >
> > Disabling NetLabel should solve the problem.
>
> Disabling NetLabel solves the problem.
>
> > The recommended solution to this problem, as discussed on the SELinux list
> > and mentioned in the patch description, is to upgrade your SELinux policy
> > to the latest Reference Policy sources. For those with custom SELinux
> > policy, the patch description explains the changes to the SELinux policy
> > required.
>
> I'm sorry to say this, but this kind of patches should not be accepted.
>
> Patch
>
> commit 9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0
> Author: Paul Moore <[EMAIL PROTECTED]>
> Date: Fri Jun 29 11:48:16 2007 -0400
>
> SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for
> NetLabel
>
> These changes will make NetLabel behave like labeled IPsec where there is
> an
> access check for both labeled and unlabeled packets as well as providing
> the
> ability to restrict domains to receiving only labeled packets when
> NetLabel
> is in use. The changes to the policy are straight forward with the
> following necessary to receive labeled traffic (with SECINITSID_NETMSG
> defined as "netlabel_peer_t"):
>
> allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket }
> recvfrom;
>
> The policy for unlabeled traffic would be:
>
> allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket }
> recvfrom;
>
> These policy changes, as well as more general NetLabel support, are
> included
> in the SELinux Reference Policy SVN tree, r2352 or later. Users who
> enable
> NetLabel support in the kernel are strongly encouraged to upgrade their
> policy to avoid network problems.
>
> Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
> Signed-off-by: James Morris <[EMAIL PROTECTED]>
>
>
> breaks systems with recent selinux policy.
>
> (rpm -qa selinux-policy-*
> selinux-policy-devel-2.6.4-25.fc7
> selinux-policy-targeted-2.6.4-25.fc7)
>
> I will add this as a regression unless Linus says "Fsck it! We don't care
> about compatibility"
Agreed, it needs to be fixed in the netlabel code.
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
The art of breaking userspace (was Re: [GIT] SELinux changes for 2.6.23 (updated))
Paul Moore pisze:
[..]
> On Fri, 13 Jul 2007, Michal Piotrowski wrote:
>> My system is too secure, I can not login :)
>>
>> Do you have CONFIG_NETLABEL=y ?
>>
>> If so, please try disabling it.
>
> Disabling NetLabel should solve the problem.
Disabling NetLabel solves the problem.
> The recommended solution to this problem, as discussed on the SELinux list
> and mentioned in the patch description, is to upgrade your SELinux policy to
> the latest Reference Policy sources. For those with custom SELinux policy,
> the patch description explains the changes to the SELinux policy required.
I'm sorry to say this, but this kind of patches should not be accepted.
Patch
commit 9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0
Author: Paul Moore <[EMAIL PROTECTED]>
Date: Fri Jun 29 11:48:16 2007 -0400
SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel
These changes will make NetLabel behave like labeled IPsec where there is an
access check for both labeled and unlabeled packets as well as providing the
ability to restrict domains to receiving only labeled packets when NetLabel
is in use. The changes to the policy are straight forward with the
following necessary to receive labeled traffic (with SECINITSID_NETMSG
defined as "netlabel_peer_t"):
allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket }
recvfrom;
The policy for unlabeled traffic would be:
allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
These policy changes, as well as more general NetLabel support, are included
in the SELinux Reference Policy SVN tree, r2352 or later. Users who enable
NetLabel support in the kernel are strongly encouraged to upgrade their
policy to avoid network problems.
Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
Signed-off-by: James Morris <[EMAIL PROTECTED]>
breaks systems with recent selinux policy.
(rpm -qa selinux-policy-*
selinux-policy-devel-2.6.4-25.fc7
selinux-policy-targeted-2.6.4-25.fc7)
I will add this as a regression unless Linus says "Fsck it! We don't care about
compatibility"
>
> If needed I can post more instructions later, let me know, but right now I'm
> tapping this out on my phone while at the airport.
>
> . paul moore
> . linux security @ hp
>
>
>
Regards,
Michal
--
LOG
http://www.stardust.webpages.pl/log/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
The art of breaking userspace (was Re: [GIT] SELinux changes for 2.6.23 (updated))
Paul Moore pisze:
[..]
On Fri, 13 Jul 2007, Michal Piotrowski wrote:
My system is too secure, I can not login :)
Do you have CONFIG_NETLABEL=y ?
If so, please try disabling it.
Disabling NetLabel should solve the problem.
Disabling NetLabel solves the problem.
The recommended solution to this problem, as discussed on the SELinux list
and mentioned in the patch description, is to upgrade your SELinux policy to
the latest Reference Policy sources. For those with custom SELinux policy,
the patch description explains the changes to the SELinux policy required.
I'm sorry to say this, but this kind of patches should not be accepted.
Patch
commit 9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0
Author: Paul Moore [EMAIL PROTECTED]
Date: Fri Jun 29 11:48:16 2007 -0400
SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel
These changes will make NetLabel behave like labeled IPsec where there is an
access check for both labeled and unlabeled packets as well as providing the
ability to restrict domains to receiving only labeled packets when NetLabel
is in use. The changes to the policy are straight forward with the
following necessary to receive labeled traffic (with SECINITSID_NETMSG
defined as netlabel_peer_t):
allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket }
recvfrom;
The policy for unlabeled traffic would be:
allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
These policy changes, as well as more general NetLabel support, are included
in the SELinux Reference Policy SVN tree, r2352 or later. Users who enable
NetLabel support in the kernel are strongly encouraged to upgrade their
policy to avoid network problems.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
Signed-off-by: James Morris [EMAIL PROTECTED]
breaks systems with recent selinux policy.
(rpm -qa selinux-policy-*
selinux-policy-devel-2.6.4-25.fc7
selinux-policy-targeted-2.6.4-25.fc7)
I will add this as a regression unless Linus says Fsck it! We don't care about
compatibility
If needed I can post more instructions later, let me know, but right now I'm
tapping this out on my phone while at the airport.
. paul moore
. linux security @ hp
Regards,
Michal
--
LOG
http://www.stardust.webpages.pl/log/
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: The art of breaking userspace (was Re: [GIT] SELinux changes for 2.6.23 (updated))
On Fri, 2007-07-13 at 21:08 +0200, Michal Piotrowski wrote:
Paul Moore pisze:
[..]
On Fri, 13 Jul 2007, Michal Piotrowski wrote:
My system is too secure, I can not login :)
Do you have CONFIG_NETLABEL=y ?
If so, please try disabling it.
Disabling NetLabel should solve the problem.
Disabling NetLabel solves the problem.
The recommended solution to this problem, as discussed on the SELinux list
and mentioned in the patch description, is to upgrade your SELinux policy
to the latest Reference Policy sources. For those with custom SELinux
policy, the patch description explains the changes to the SELinux policy
required.
I'm sorry to say this, but this kind of patches should not be accepted.
Patch
commit 9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0
Author: Paul Moore [EMAIL PROTECTED]
Date: Fri Jun 29 11:48:16 2007 -0400
SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for
NetLabel
These changes will make NetLabel behave like labeled IPsec where there is
an
access check for both labeled and unlabeled packets as well as providing
the
ability to restrict domains to receiving only labeled packets when
NetLabel
is in use. The changes to the policy are straight forward with the
following necessary to receive labeled traffic (with SECINITSID_NETMSG
defined as netlabel_peer_t):
allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket }
recvfrom;
The policy for unlabeled traffic would be:
allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket }
recvfrom;
These policy changes, as well as more general NetLabel support, are
included
in the SELinux Reference Policy SVN tree, r2352 or later. Users who
enable
NetLabel support in the kernel are strongly encouraged to upgrade their
policy to avoid network problems.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
Signed-off-by: James Morris [EMAIL PROTECTED]
breaks systems with recent selinux policy.
(rpm -qa selinux-policy-*
selinux-policy-devel-2.6.4-25.fc7
selinux-policy-targeted-2.6.4-25.fc7)
I will add this as a regression unless Linus says Fsck it! We don't care
about compatibility
Agreed, it needs to be fixed in the netlabel code.
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: The art of breaking userspace (was Re: [GIT] SELinux changes for 2.6.23 (updated))
-Original Message-
From: Stephen Smalley [EMAIL PROTECTED]
Date: Friday, Jul 13, 2007 3:30 pm
Subject: Re: The art of breaking userspace (was Re: [GIT] SELinux changes
for 2.6.23 (updated))
To: Michal Piotrowski [EMAIL PROTECTED]
CC: Paul Moore [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
linux-kernel@vger.kernel.org
On Fri, 2007-07-13 at 21:08 +0200, Michal Piotrowski wrote:
Paul Moore pisze:
[..]
On Fri, 13 Jul 2007, Michal Piotrowski wrote:
My system is too secure, I can not login :)
Do you have CONFIG_NETLABEL=y ?
If so, please try disabling it.
Disabling NetLabel should solve the problem.
Disabling NetLabel solves the problem.
The recommended solution to this problem, as discussed on the SELinux list
and mentioned in the patch description, is to upgrade your SELinux policy
to the latest Reference Policy sources. For those with custom SELinux
policy, the patch description explains the changes to the SELinux policy
required.
I'm sorry to say this, but this kind of patches should not be accepted.
Patch
commit 9faf65fb6ee2b4e08325ba2d69e5ccf0c46453d0
Author: Paul Moore [EMAIL PROTECTED]
Date: Fri Jun 29 11:48:16 2007 -0400
SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for
NetLabel
These changes will make NetLabel behave like labeled IPsec where there is
an
access check for both labeled and unlabeled packets as well as providing
the
ability to restrict domains to receiving only labeled packets when
NetLabel
is in use. The changes to the policy are straight forward with the
following necessary to receive labeled traffic (with SECINITSID_NETMSG
defined as netlabel_peer_t):
allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket }
recvfrom;
The policy for unlabeled traffic would be:
allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket }
recvfrom;
These policy changes, as well as more general NetLabel support, are
included
in the SELinux Reference Policy SVN tree, r2352 or later. Users who
enable
NetLabel support in the kernel are strongly encouraged to upgrade their
policy to avoid network problems.
Signed-off-by: Paul Moore [EMAIL PROTECTED]
Signed-off-by: James Morris [EMAIL PROTECTED]
breaks systems with recent selinux policy.
(rpm -qa selinux-policy-*
selinux-policy-devel-2.6.4-25.fc7
selinux-policy-targeted-2.6.4-25.fc7)
I will add this as a regression unless Linus says Fsck it! We don't care
about compatibility
Agreed, it needs to be fixed in the netlabel code.
I'm stuck in the airport right now but I will send a patch out later tonight.
. paul moore
. linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: The art of breaking userspace (was Re: [GIT] SELinux changes for 2.6.23 (updated))
On Friday, July 13 2007 3:29:23 pm Stephen Smalley wrote: Agreed, it needs to be fixed in the netlabel code. For anyone interested, and for the sake of completeness, an updated patch[set] has been posted to the SELinux mailing list for review. The new patchset is designed to fix the problem that Michal reported. -- paul moore linux security @ hp - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
