Re: [redhat-lspp] Netlabel/CIPSO toy policy module

Fri, 30 Jun 2006 06:04:27 -0700 

Klaus we love you ;)


On Wed, 2006-06-28 at 18:03 -0500, Klaus Weidner wrote:
> Hello,
> 
> I've hacked together a very simple policy module to allow testing CIPSO
> with MLS constraints, which was surprisingly easy once I found out where
> to start... Kudos to Paul Moore and the Tresys folks for the code and
> documentation!
> 
> With the following setup, labeled localhost networking in enforcing mode
> works as expected, meaning that a "Unclassified" user can freely open a
> local TCP connection to another "Unclassified" user's TCP socket, but a
> "Secret" user's connection attempt is rejected.
> 
> I'm sure that there are many parts missing but I think this is a proof of
> concept to show that the MLS constraints do their job without needing any
> changes to the base policy. 
> 
> Here are the steps I used:
> 
> ### set up the new policy module
> cat > cipso.te <<__EOF__
>       module cipso 1.0;
> 
>       require {
>               type user_t, staff_t, sysadm_t;
>               class udp_socket { name_bind create ioctl read getattr write
>                                  setattr append bind connect getopt setopt
>                                  shutdown send_msg recv_msg node_bind };
>               class tcp_socket { name_bind node_bind create ioctl read
>                                  getattr write setattr append bind connect
>                                  getopt setopt shutdown listen accept
>                                  send_msg recv_msg };
>       }
> 
>       allow {user_t staff_t sysadm_t} {user_t staff_t sysadm_t} :
>             tcp_socket { recv_msg };
>       allow {user_t staff_t sysadm_t} {user_t staff_t sysadm_t} :
>             udp_socket { recv_msg };
> __EOF__
> 
> checkmodule -M -m cipso.te -o cipso.mod
> semodule_package -m cipso.mod -o cipso.pp
> semodule -i cipso.pp
> 
> ## configure CIPSO
> ##
> ## Make sure you use a local or serial console for testing, it will
> ## reject unlabeled packets from your SSH session (which is the entire
> ## point of CIPSO...)
> 
> setenforce 0
> netlabelctl cipsov4 add std doi:1 tags:1 levels:0=0,1=1,2=2 
> categories:0=0,1=1,2=2
> netlabelctl mgmt del default
> netlabelctl mgmt add default protocol:cipsov4,1
> netlabelctl unlbl accept off
> setenforce 1
> 
> ## now try some netcats
> newrole -r sysadm_r -l s1-s1
> nc -l 3333
> 
> newrole -r sysadm_r -l s2-s2
> nc localhost 3333
> 
> -Klaus
> 
> --
> redhat-lspp mailing list
> [email protected]
> https://www.redhat.com/mailman/listinfo/redhat-lspp

--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp

Reply via email to