From c6f58ba9240b69309789c5af65f6a1c219a9b086 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 6 Sep 2010 09:06:40 -0700 Subject: [PATCH] Enhance SELinux support: - Add state match - Add user/group match - Add examples to the man pages --- Shorewall/Perl/Shorewall/Tc.pm | 20 ++++++- Shorewall/configfiles/secmarks | 4 +- docs/Manpages.xml | 3 + docs/Manpages6.xml | 3 + docs/configuration_file_basics.xml | 6 ++ manpages/shorewall-secmarks.xml | 91 +++++++++++++++++++++++++++++- manpages6/shorewall6-secmarks.xml | 88 ++++++++++++++++++++++++++++- 7 files changed, 205 insertions(+), 10 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 718705b19..cb52a68d9 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -1373,7 +1373,7 @@ sub setup_traffic_shaping() { # Process a record in the secmarks file # sub process_secmark_rule() { - my ( $secmark, $chain, $source, $dest, $proto, $dport, $sport, $mark ) = split_line1( 2, 8 , 'Secmarks file' ); + my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) = split_line1( 2, 9 , 'Secmarks file' ); if ( $secmark eq 'COMMENT' ) { process_comment; @@ -1386,10 +1386,24 @@ sub process_secmark_rule() { I => 'tcin' , O => 'tcout' , ); - my $chain1= $chns{$chain}; + my %state = ( N => 'NEW' , + E => 'ESTABLISHED' , + ER => 'ESTABLISHED,RELATED' ); + my ( $chain , $state, $rest) = split ':', $chainin , 3; + + fatal_error "Invalid CHAIN:STATE ($chainin)" if $rest || ! $chain; + + my $chain1= $chns{$chain}; + fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1; + if ( ( $state ||= '' ) ne '' ) { + my $state1; + fatal_error "Invalid STATE ( $state )" unless $state1 = $state{$state}; + $state = "$globals{STATEMATCH} $state1 "; + } + my $target = $secmark eq 'SAVE' ? 'CONNSECMARK --save' : $secmark eq 'RESTORE' ? 'CONNSECMARK --restore' : "SECMARK --selctx $secmark"; @@ -1400,7 +1414,9 @@ sub process_secmark_rule() { expand_rule( ensure_mangle_chain( $chain1 ) , $restrictions{$chain1} , + $state . do_proto( $proto, $dport, $sport ) . + do_user( $user ) . do_test( $mark, $globals{TC_MASK} ) , $source , $dest , diff --git a/Shorewall/configfiles/secmarks b/Shorewall/configfiles/secmarks index 64ecb3dab..b01f31e06 100644 --- a/Shorewall/configfiles/secmarks +++ b/Shorewall/configfiles/secmarks @@ -4,6 +4,6 @@ # For information about entries in this file, type "man shorewall-secmarks" # ############################################################################################################ -#SECMARK CHAIN SOURCE DEST PROTO DEST SOURCE MARK -# PORT(S) PORT(S) +#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK +# STATE PORT(S) PORT(S) GROUP diff --git a/docs/Manpages.xml b/docs/Manpages.xml index 6ef37533a..c49721af1 100644 --- a/docs/Manpages.xml +++ b/docs/Manpages.xml @@ -129,6 +129,9 @@ rules - Specify exceptions to policies, including DNAT and REDIRECT. + secmarks - Attach + an SELinux context to a packet. + tcclasses - Define htb classes for traffic shaping. diff --git a/docs/Manpages6.xml b/docs/Manpages6.xml index 720fc71c2..5c81559e3 100644 --- a/docs/Manpages6.xml +++ b/docs/Manpages6.xml @@ -114,6 +114,9 @@ rules - Specify exceptions to policies, including DNAT and REDIRECT. + secmarks - + Attached an SELinux context to a packet. + tcclasses - Define htb classes for traffic shaping. diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml index 3919f6359..7fbd23239 100644 --- a/docs/configuration_file_basics.xml +++ b/docs/configuration_file_basics.xml @@ -213,6 +213,12 @@ shaping. + + /etc/shorewall/secmarks - Added in + Shorewall 4.4.13. Attach an SELinux context to selected + packets. + + /etc/shorewall/vardir - Determines the directory where Shorewall maintains its state. diff --git a/manpages/shorewall-secmarks.xml b/manpages/shorewall-secmarks.xml index 5dcb14682..a2f26e4d6 100644 --- a/manpages/shorewall-secmarks.xml +++ b/manpages/shorewall-secmarks.xml @@ -24,7 +24,7 @@ Description The secmarks file is used to associate an SELinux context with - packets. + packets. It was added in Shorewall version 4.4.13. The columns in the file are as follows. @@ -66,9 +66,13 @@ - CHAIN - {P|I|F|O|T} + CHAIN:STATE - + {P|I|F|O|T}[:{N|E|ER}] + This column determines the CHAIN where the SElinux context is + to be applied: + P - PREROUTING @@ -80,6 +84,18 @@ T - POSTROUTING + + It may be optionally followed by a colon and an indication of + the connection state(s) at which the context is to be + applied: + + + :N - NEW connection + + :E - ESTABLISHED connection + + :ER - ESTABLISHED or RELATED connection + @@ -102,7 +118,7 @@ A comma-separated list of host or network IP addresses or - MAC addresses. + MAC addresses. @@ -206,6 +222,52 @@ + + USER (Optional) - [!][user-name-or-number][:group-name-or-number] + + + This column may only be non-empty if the SOURCE is the + firewall itself. + + When this column is non-empty, the rule applies only if the + program generating the output is running under the effective + user and/or group + specified (or is NOT running under that id if "!" is given). + + Examples: + + + + joe + + + program must be run by joe + + + + + :kids + + + program must be run by a member of the 'kids' + group + + + + + !:kids + + + program must not be run by a member of the 'kids' + group + + + + + + MARK - [!]value[/mask][ + + EXAMPLE + + Mark the first incoming packet of a connection on the loopback + interface and destined for address 127.0.0.1 and tcp port 3306 with + context system_u:object_r:mysqld_t:s0 and save that context in the + conntrack table. On subsequent input packets in the connection, set the + context from the conntrack table. + + /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS +- lo - ignore + + /etc/shorewall/secmarks: + + #SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK +# STATE PORT(S) PORT(S) GROUP +system_u:object_r:mysqld_t:s0 I:N lo 127.0.0.1 tcp 3306 +SAVE I:N lo 127.0.0.1 tcp 3306 +RESTORE I:E + + FILES diff --git a/manpages6/shorewall6-secmarks.xml b/manpages6/shorewall6-secmarks.xml index 314590655..8735c6b60 100644 --- a/manpages6/shorewall6-secmarks.xml +++ b/manpages6/shorewall6-secmarks.xml @@ -24,7 +24,7 @@ Description The secmarks file is used to associate an SELinux context with - packets. + packets. It was added in Shorewall6 version 4.4.13. The columns in the file are as follows. @@ -66,7 +66,8 @@ - CHAIN - {P|I|F|O|T} + CHAIN - + {P|I|F|O|T}[:{N|E|ER}] @@ -80,6 +81,18 @@ T - POSTROUTING + + It may be optionally followed by a colon and an indication of + the connection state(s) at which the context is to be + applied: + + + :N - NEW connection + + :E - ESTABLISHED connection + + :ER - ESTABLISHED or RELATED connection + @@ -102,7 +115,7 @@ A comma-separated list of host or network IP addresses or - MAC addresses. + MAC addresses. @@ -206,6 +219,52 @@ + + USER (Optional) - [!][user-name-or-number][:group-name-or-number] + + + This column may only be non-empty if the SOURCE is the + firewall itself. + + When this column is non-empty, the rule applies only if the + program generating the output is running under the effective + user and/or group + specified (or is NOT running under that id if "!" is given). + + Examples: + + + + joe + + + program must be run by joe + + + + + :kids + + + program must be run by a member of the 'kids' + group + + + + + !:kids + + + program must not be run by a member of the 'kids' + group + + + + + + MARK - [!]value[/mask][ + + EXAMPLE + + Mark the first incoming packet of a connection on the loopback + interface and destined for address ::1 and tcp port 3306 with context + system_u:object_r:mysqld_t:s0 and save that context in the conntrack + table. On subsequent input packets in the connection, set the context from + the conntrack table. + + /etc/shorewall6/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS +- lo - ignore + + /etc/shorewall6/secmarks: + + #SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK +# STATE PORT(S) PORT(S) GROUP +system_u:object_r:mysqld_t:s0 I:N lo ::1 tcp 3306 +SAVE I:N lo ::1 tcp 3306 +RESTORE I:E + + FILES