| Message ID | 20211116163838.10888-1-richard_c_haines@btinternet.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | [V2] netlabel: Update man page to clarify SELinux labeling | expand |
On Tue, 2021-11-16 at 16:38 +0000, Richard Haines wrote: > Clarify how SELinux setsockcreatecon(3) and policy socket* class > type_transition rules can impact domain:<domain> entries. > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> > --- > V2: Clarify the labels returned using getsockopt(2) > > doc/man/man8/netlabelctl.8 | 29 ++++++++++++++++++++++++++++- > 1 file changed, 28 insertions(+), 1 deletion(-) > > diff --git a/doc/man/man8/netlabelctl.8 b/doc/man/man8/netlabelctl.8 > index bb00096..2a7852b 100644 > --- a/doc/man/man8/netlabelctl.8 > +++ b/doc/man/man8/netlabelctl.8 > @@ -57,7 +57,9 @@ Display the kernel's list of supported labeling > protocols. > The domain mapping module is used to map different NetLabel labeling > protocols > to either individual LSM domains or the default domain mapping. It is > up to > each LSM to determine what defines a domain. With SELinux, the normal > SELinux > -domain should be used, i.e. "ping_t". In addition to protocol > selection based > +domain should be used, i.e. "ping_t" (however see the > +.B NOTES > +section below regarding SElinux). In addition to protocol selection > based > only on the LSM domain, it is also possible to select the labeling > protocol > based on both the LSM domain and destination address. The network > address > selectors can specify either single hosts or entire networks and work > for both > @@ -259,6 +261,31 @@ The static, or fallback, labels are only supported > on Linux Kernels version > Linux Kernels 2.6.28 and later and CALIPSO/RFC5570 is only supported > on Linux > Kernels 4.8.0 and later. > .P > +When using the SELinux LSM, it is generally assumed that the > +.I type > +component of the process security label should be used as the > +.I domain:<domain> > +entry. However, NetLabel services actually use the socket security > label to > +determine labeling. Normally this would be the same > +.I type > +component as the process (as by default the socket inherits the > process > +label). There are cases where this matters, as it is possible with > SELinux > +to set a different label on the socket using the libselinux function > +.BR setsockcreatecon (3), > +or a policy socket* class > +.I type_transition > +rule. Should these be used to change a socket label, then the new > socket > +.I type > +must be used in the > +.I domain:<domain> > +entry instead. > +If fallback labeling is configured and a new socket label is set on > the > +client, the server will show that label when > +.BR getsockopt (2) > +with > +.I optname=SO_PEERSEC > +is called. > +.P > The NetLabel project site, with more information including the source > code > repository, can be found at https://github.com/netlabel. Please > report any > bugs at the project site or directly to the author. Are these really bugs or just features ?? The new tests in [1] treat them as features. [1] https://lore.kernel.org/selinux/20211117131450.41705-1-richard_c_haines@btinternet.com/ https://lore.kernel.org/selinux/20211117131450.41705-1-richard_c_haines@btinternet.com/
On Thu, Nov 18, 2021 at 3:15 AM Richard Haines <richard_c_haines@btinternet.com> wrote: > Are these really bugs or just features ?? The new tests in [1] treat > them as features. > > [1] https://lore.kernel.org/selinux/20211117131450.41705-1-richard_c_haines@btinternet.com/ > https://lore.kernel.org/selinux/20211117131450.41705-1-richard_c_haines@btinternet.com/ Unless I'm misunderstanding what you've written, it looks like you've written is what I would expect to happen.
On Tue, Nov 16, 2021 at 11:38 AM Richard Haines <richard_c_haines@btinternet.com> wrote: > > Clarify how SELinux setsockcreatecon(3) and policy socket* class > type_transition rules can impact domain:<domain> entries. > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> > --- > V2: Clarify the labels returned using getsockopt(2) > > doc/man/man8/netlabelctl.8 | 29 ++++++++++++++++++++++++++++- > 1 file changed, 28 insertions(+), 1 deletion(-) Merged, thanks!
diff --git a/doc/man/man8/netlabelctl.8 b/doc/man/man8/netlabelctl.8 index bb00096..2a7852b 100644 --- a/doc/man/man8/netlabelctl.8 +++ b/doc/man/man8/netlabelctl.8 @@ -57,7 +57,9 @@ Display the kernel's list of supported labeling protocols. The domain mapping module is used to map different NetLabel labeling protocols to either individual LSM domains or the default domain mapping. It is up to each LSM to determine what defines a domain. With SELinux, the normal SELinux -domain should be used, i.e. "ping_t". In addition to protocol selection based +domain should be used, i.e. "ping_t" (however see the +.B NOTES +section below regarding SElinux). In addition to protocol selection based only on the LSM domain, it is also possible to select the labeling protocol based on both the LSM domain and destination address. The network address selectors can specify either single hosts or entire networks and work for both @@ -259,6 +261,31 @@ The static, or fallback, labels are only supported on Linux Kernels version Linux Kernels 2.6.28 and later and CALIPSO/RFC5570 is only supported on Linux Kernels 4.8.0 and later. .P +When using the SELinux LSM, it is generally assumed that the +.I type +component of the process security label should be used as the +.I domain:<domain> +entry. However, NetLabel services actually use the socket security label to +determine labeling. Normally this would be the same +.I type +component as the process (as by default the socket inherits the process +label). There are cases where this matters, as it is possible with SELinux +to set a different label on the socket using the libselinux function +.BR setsockcreatecon (3), +or a policy socket* class +.I type_transition +rule. Should these be used to change a socket label, then the new socket +.I type +must be used in the +.I domain:<domain> +entry instead. +If fallback labeling is configured and a new socket label is set on the +client, the server will show that label when +.BR getsockopt (2) +with +.I optname=SO_PEERSEC +is called. +.P The NetLabel project site, with more information including the source code repository, can be found at https://github.com/netlabel. Please report any bugs at the project site or directly to the author.
Clarify how SELinux setsockcreatecon(3) and policy socket* class type_transition rules can impact domain:<domain> entries. Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> --- V2: Clarify the labels returned using getsockopt(2) doc/man/man8/netlabelctl.8 | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-)