From owner-freebsd-security@FreeBSD.ORG Sun Apr 28 12:26:51 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 8EE54C67 for ; Sun, 28 Apr 2013 12:26:51 +0000 (UTC) (envelope-from priit.jarv@gmail.com) Received: from mail-we0-x22a.google.com (mail-we0-x22a.google.com [IPv6:2a00:1450:400c:c03::22a]) by mx1.freebsd.org (Postfix) with ESMTP id 2758F1350 for ; Sun, 28 Apr 2013 12:26:50 +0000 (UTC) Received: by mail-we0-f170.google.com with SMTP id z53so563144wey.15 for ; Sun, 28 Apr 2013 05:26:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:sender:date:from:x-x-sender:to:subject:message-id :user-agent:mime-version:content-type; bh=LgXHKX1OXgqmCC/gPqGafd6bXDJd4aLpjYfFUZSsK9k=; b=FP+m/mHPJ42GNPq1i+iOlhG1gzlaiSHDTwAvCMnOQ3NfTQzYGG2+Q8RC8to1/Yf8aH 9e6/9s+B6AkuN95CNBzXaktTnVEOzo4O/8CF7ZJOtTkweD6o7csL8f/JaI7gbFFThUL1 ENDvVJ4xWGn998eRmRA/D+MM/rcjsvCFSQbeA577cG+x1fP5gvMXnseWxqTJ7jNIIwgJ Wzf3CwOnI26JY66STfwlvT4EbuEB0rX336JArBD30g3YTfHyejeGdJUyO3PynnTREu8P mYa6P/InjFAfZI/p5SXE9qwhARpW+2jtxG6sjp9GhLHksbvFdnmhTRBybNn9vd4sWSFF uX4g== X-Received: by 10.180.187.206 with SMTP id fu14mr12470407wic.11.1367152009264; Sun, 28 Apr 2013 05:26:49 -0700 (PDT) Received: from chu (243.100.196.88.dyn.estpak.ee. [88.196.100.243]) by mx.google.com with ESMTPSA id g9sm15531034wix.1.2013.04.28.05.26.47 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 28 Apr 2013 05:26:48 -0700 (PDT) Sender: =?UTF-8?Q?Priit_J=C3=A4rv?= Date: Sun, 28 Apr 2013 15:20:53 +0300 (EEST) From: priit@cc.ttu.ee X-X-Sender: priit@chu To: freebsd-security@freebsd.org Subject: setfsmac and LOMAC aux grades - inconsistent behaviour Message-ID: User-Agent: Alpine 2.03 (LNX 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Apr 2013 12:26:51 -0000 A bit of a background: I've been experimenting with LOMAC labels on a 9.1-RELEASE test system. To get the dynamic IP assigned to the machine, I tried following recipe: set the label for /sbin/dhclient to lomac/high[low]. This gets the job done, but there were a few problems: first of all, this label does not seem to persist after a reboot - I have not yet found a reasonable explanation for this. However, that would not be an issue, as it seems a LOMAC/MLS setup would need a script at boot time to update the labels anyway - the /dev filesystem needs them too. When running a script to set the labels from /etc/rc.d I ran into the following problem. Here's the relevant part of the script: check_startmsgs && echo -n "Setting MAC policy: " getpmac id ls -lZ /sbin/dhclient /usr/sbin/setpmac lomac/equal,mls/equal \ /usr/sbin/setfsmac -v -ef /usr/home/test/mac.policy / ls -lZ /sbin/dhclient setfmac lomac/high\[low\] /sbin/dhclient ls -lZ /sbin/dhclient check_startmsgs && echo '.' It produces the following output on boot: Setting MAC policy: lomac/high(low-high),mls/low(low-high) uid=0(root) gid=0(wheel) groups=0(wheel) -r-xr-xr-x 1 root wheel lomac/high,mls/low 93616 Dec 4 11:33 /sbin/dhclient setfsmac: /usr/home/test/mac.policy: read 1 specifications /sbin/dhclient matched by (^/sbin/dhclient$,lomac/high[low]) -r-xr-xr-x 1 root wheel lomac/high,mls/low 93616 Dec 4 11:33 /sbin/dhclient -r-xr-xr-x 1 root wheel lomac/high[low],mls/low 93616 Dec 4 11:33 /sbin/dhcl ient . As you can see, the setfsmac command fails to set the aux grade (but doesn't give an error), the following setfmac command succeeds. The file mac.policy contains just this: /sbin/dhclient lomac/high[low] Normally, one would suspect that something is wrong with the syntax in this file. After all, setfmac and setfsmac are essentially the same program. However, when logged in as root, running the same script results in setting the label correctly by the setfsmac command. I can only conclude, that in the case described above, mac_set_file(), as called by setfsmac does not return an error but does not set the label either. There does not seem to be a scenario where the call would fail and setfsmac would be silent about it. I've also experimented with setting other labels this way and that appeared to work normally (skipping the detailed results to keep things brief). The only case of failure I found was setting a LOMAC aux grade, by setfsmac, from a boot-time script. To avoid any misunderstanding, the issue here is the ability to set the aux grade on the binary. Getting the IP configured was just the way I stumbled into this and can of course be handled in other ways. Also, it is probably obvious from the above script listing, but the files sit on / filesystem that has multilabel set. lomac and mls modules are loaded. Priit.