[hipl-dev] [Bug 592160] Re: hipl and selinux

• From: Miika Komu <592160@xxxxxxxxxxxxxxxxxx>
• To: hipl-dev@xxxxxxxxxxxxx
• Date: Mon, 03 Jan 2011 14:33:59 -0000

No progress, still open.

-- 
You received this bug notification because you are a member of HIPL core
team, which is subscribed to HIPL.
https://bugs.launchpad.net/bugs/592160

Title:
  hipl and selinux

Status in Host Identity Protocol for Linux:
  New

Bug description:
  Figure out how to configure selinux to work with hipl.

---

I have SELINUX=enforcing, SELINUXTYPE=targeted on stargazer and it works.
2.6.27.5-41.fc9.i686 kernel

---

How did you configure it?

---

hipd_init calls system("ifconfig dummy0 mtu"), but selinux does not allow its
operations:

type=1400 audit(1229087479.615:28): avc:  denied  { read write } for  pid=2462
comm="ifconfig" path="/var/lock/hipd.lock" dev=dm-1 ino=483418
scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file

type=1400 audit(1229087479.615:29): avc:  denied  { read write } for  pid=2462
comm="ifconfig" path="socket:[64091]" dev=sockfs ino=64091
scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=netlink_route_socket

type=1400 audit(1229087479.615:30): avc:  denied  { read write } for  pid=2462
comm="ifconfig" path="socket:[64092]" dev=sockfs ino=64092
scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=netlink_xfrm_socket

type=1400 audit(1229087479.615:31): avc:  denied  { read write } for  pid=2462
comm="ifconfig" path="socket:[64093]" dev=sockfs ino=64093
scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=rawip_socket

type=1400 audit(1229087479.615:32): avc:  denied  { read write } for  pid=2462
comm="ifconfig" path="socket:[64094]" dev=sockfs ino=64094
scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=rawip_socket

type=1400 audit(1229087479.615:33): avc:  denied  { read write } for  pid=2462
comm="ifconfig" path="socket:[64096]" dev=sockfs ino=64096
scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=udp_socket

type=1400 audit(1229087479.615:34): avc:  denied  { read write } for  pid=2462
comm="ifconfig" path="socket:[64098]" dev=sockfs ino=64098
scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=rawip_socket

---

Is it enough to allow dummy0 in selinux?

---

policy like this should help, but it does not look very correct.

allow ifconfig_t initrc_t:netlink_route_socket { read write };
allow ifconfig_t initrc_t:netlink_xfrm_socket { read write };
allow ifconfig_t initrc_t:rawip_socket { read write };
allow ifconfig_t initrc_t:udp_socket { read write };
allow ifconfig_t var_lock_t:file { read write };

---

It is even worse, I get "SELinux: failure in selinux_parse_skb(), unable to
parse packet" with ping6 2001:1c:9d:1d34:7d57:bd54:1d10:a393 (halko), but not 
2001:1c:cbae:47ae:2871:f9c:eb94:c8e3 (ashenvale), 
2001:1e:574e:2505:264a:b360:d8cc:1d75 (stargazer), 
2001:14:766e:fbee:f74d:ec73:d6c5:28c0 (hipserver)

So normally "it works", but fails on some HITs.

[root@aeris ~]# ping6 -c1 2001:14:766e:fbee:f74d:ec73:d6c5:28c0
PING
2001:14:766e:fbee:f74d:ec73:d6c5:28c0(2001:14:766e:fbee:f74d:ec73:d6c5:28c0) 56
data bytes
64 bytes from 2001:14:766e:fbee:f74d:ec73:d6c5:28c0: icmp_seq=1 ttl=64
time=0.316 ms

--- 2001:14:766e:fbee:f74d:ec73:d6c5:28c0 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.316/0.316/0.316/0.000 ms
[root@aeris ~]# ping6 -c1 2001:1e:574e:2505:264a:b360:d8cc:1d75
PING
2001:1e:574e:2505:264a:b360:d8cc:1d75(2001:1e:574e:2505:264a:b360:d8cc:1d75) 56
data bytes
64 bytes from 2001:1e:574e:2505:264a:b360:d8cc:1d75: icmp_seq=1 ttl=64
time=0.355 ms

--- 2001:1e:574e:2505:264a:b360:d8cc:1d75 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.355/0.355/0.355/0.000 ms
[root@aeris ~]# ping6 -c1 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3
PING 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3(2001:1c:cbae:47ae:2871:f9c:eb94:c8e3)
56 data bytes
64 bytes from 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3: icmp_seq=1 ttl=64
time=0.351 ms

--- 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.351/0.351/0.351/0.000 ms
[root@aeris ~]# ping6 -c1 2001:1c:9d:1d34:7d57:bd54:1d10:a393
PING 2001:1c:9d:1d34:7d57:bd54:1d10:a393(2001:1c:9d:1d34:7d57:bd54:1d10:a393)
56 data bytes
ping: sendmsg: Operation not permitted
^C
--- 2001:1c:9d:1d34:7d57:bd54:1d10:a393 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 547ms
HA is ESTABLISHED
 Local HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4
 Peer  HIT: 2001:0014:766e:fbee:f74d:ec73:d6c5:28c0
 Local LSI: 1.0.0.1
 Peer  LSI: 1.0.0.7
 Local IP: 2001:0708:0140:0220:0000:0000:0000:0016
 Peer  IP: 2001:0708:0140:0220:0211:11ff:fe84:b791
 Peer  hostname: hipserver.infrahip.net

HA is ESTABLISHED
 Local HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4
 Peer  HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4
 Local LSI: 1.0.0.1
 Peer  LSI: 1.0.0.2
 Local IP: 0000:0000:0000:0000:0000:0000:0000:0001
 Peer  IP: 0000:0000:0000:0000:0000:0000:0000:0001
 Peer  hostname: aeris.infrahip.net

HA is ESTABLISHED
 Local HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4
 Peer  HIT: 2001:001e:574e:2505:264a:b360:d8cc:1d75
 Local LSI: 1.0.0.1
 Peer  LSI: 1.0.0.3
 Local IP: 2001:0708:0140:0220:0000:0000:0000:0016
 Peer  IP: 2001:0708:0140:0220:0215:60ff:fe9f:60c4
 Peer  hostname: 

HA is ESTABLISHED
 Local HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4
 Peer  HIT: 2001:001c:cbae:47ae:2871:0f9c:eb94:c8e3
 Local LSI: 1.0.0.1
 Peer  LSI: 1.0.0.6
 Local IP: 2001:0708:0140:0220:0000:0000:0000:0016
 Peer  IP: 2001:0708:0140:0220:0000:0000:0000:0555
 Peer  hostname: ashenvale.infrahip.net

HA is ESTABLISHED
 Local HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4
 Peer  HIT: 2001:001e:359d:5b5f:77fb:19b1:eb03:aa3e
 Local LSI: 1.0.0.1
 Peer  LSI: 1.0.0.4
 Local IP: 2001:0708:0140:0220:0000:0000:0000:0016
 Peer  IP: 2001:0708:0140:0220:0213:e8ff:fe82:7341
 Peer  hostname: 

HA is ESTABLISHED
 Local HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4
 Peer  HIT: 2001:001c:009d:1d34:7d57:bd54:1d10:a393
 Local LSI: 1.0.0.1
 Peer  LSI: 1.0.0.5
 Local IP: 193.167.187.149
 Peer  IP: 193.167.187.26
 Peer  hostname: 


---
>From Samu:

Network Labeling:  IPSEC/xfrm
• Implicit packet labeling via IPSEC/xfrm.
• Security context stored in xfrm policy rules and states.
• Authorize socket's use of policy based on context.
• Build SAs with context of policy.
• Included in Linux 2.6.16.
• TCP SO_PEERSEC support, UDP SCM_SECURITY
  support added in Linux 2.6.17. 

---

>From Samu:

http://www.linuxtopia.org/online_books/redhat_selinux_guide/rhlcommon-section-0104.html

---

If you manage to get SElinux to work, please include a new section to the
manual on this and document the exact steps on how to make it work. You can
commit directly to the userspace branch,

Samu has a book on SElinux which he promised to bring tomorrow to HIIT, but
there should be plenty of material available in the net.

Other related posts:

• » [hipl-dev] [Bug 592160] Re: hipl and selinux- René Hummen
• » [hipl-dev] [Bug 592160] Re: hipl and selinux - Miika Komu
• » [hipl-dev] [Bug 592160] Re: hipl and selinux- René Hummen
• » [hipl-dev] [Bug 592160] Re: hipl and selinux- Miika Komu
• » [hipl-dev] [Bug 592160] Re: hipl and selinux- rick

1. Home
2. hipl-dev
3. Archive
4. 01-2011

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---