SELinux with IPSec - something going on ?

SELinux with IPSec - something going on ?

[Rusinsky Stanislas Herman W. A.]

Hello,

after taking a look at the NSA site I wondered if any work has been made
to integrate IPSec with SELinux.

Is there any draft or specification on what has to be done exactly?

Stanislas.


-- 
One world, One web, One program -- Microsoft ad
Ein volk, Ein Reich, Ein Fuhrer -- Adolf Hitler


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux with IPSec - something going on ?

[Stephen Smalley]

On Sun, 2003-11-16 at 10:42, Rusinsky Stanislas Herman W. A. wrote:
> Hello,
> 
> after taking a look at the NSA site I wondered if any work has been made
> to integrate IPSec with SELinux.
> 
> Is there any draft or specification on what has to be done exactly?

Integration of IPSEC with Flask (a research prototype that preceded
SELinux) is described in
http://www.cs.utah.edu/flux/papers/ajay-thesis-abs.html.

We have not done any work on integrating SELinux with IPSEC yet; at this
point, such work would presumably be done based on the new Linux 2.6
IPSEC implementation.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux with IPSec - something going on ?

[Rusinsky Stanislas Herman W. A.]

[-- Attachment #1: Type: text/plain, Size: 621 bytes --]

Hello,

Thank you for your advices, I'll see if there is something I can do with
it,

regards,

Stanislas.

> Integration of IPSEC with Flask (a research prototype that preceded
> SELinux) is described in
> http://www.cs.utah.edu/flux/papers/ajay-thesis-abs.html.
> 
> We have not done any work on integrating SELinux with IPSEC yet; at this
> point, such work would presumably be done based on the new Linux 2.6
> IPSEC implementation.
-- 
###########################################

The truth is rarely pure, and never simple.
        -- Oscar Wilde

###########################################

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

RE: where to download LSM-patched 2.4

[samwun]

Dear all,

Where can I download LSM-patched 2.4 for lsm-2.4-selinux-2003040709.tgz
kernel source?

Before I used LSM 2.4 selinux source, I encountered problem when I was
trying to install SELinux.
The problem is the SELinux kernel is able to loaded up after a reboot,
but
whenever issuing a command
"ls --context" or whatever other SELinx related command options, it
always
said that the command ooptions needs SELinux kernel to support,  but I
have
verified the /var/log/messages file and uname command telling the
SELinux
kernel is loaded successfully. What could be missing from my
installation?

That's why I decided to use LSM selinux source instead the one from
http://www.nsa.gov/selinux/download.html

I downloaded LSM source from
http://www.hakin9.org/fr/attachments/nr1/materials/selinux/download/

What are the difference between the LSM source with the one from nsa?

Is there any updated document about how to install selinux on kernel
2.4?

Thanks
Sam



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: where to download LSM-patched 2.4

[Russell Coker]

On Wed, 19 Nov 2003 23:23, "samwun" <samwun@hgcbroadband.com> wrote:
> Before I used LSM 2.4 selinux source, I encountered problem when I was
> trying to install SELinux.
> The problem is the SELinux kernel is able to loaded up after a reboot,
> but
> whenever issuing a command
> "ls --context" or whatever other SELinx related command options, it
> always
> said that the command ooptions needs SELinux kernel to support,  but I
> have

The most likely explanation for this is that the version of the SE Linux 
kernel code and the version of the user-space code does not match.  There are 
two major versions of SE Linux in use, the old SE Linux has 52 system calls 
multiplexed over the LSM system call.  The new SE Linux uses XATTR's and file 
read/write operations on selinuxfs and /proc/pid/attr/*.  As the operation of 
these versions of SE Linux is very different there are no programs that can 
support both (it would be possible to write a program that supports both, but 
no-one has done so).

Does /proc/filesystems have an entry for "selinuxfs"?  If so you are running 
the kernel for the new SE Linux, if not then you are running the old SE 
Linux.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: where to download LSM-patched 2.4

[samwun]

I found that command "make install" failed in selinux 2.6 kernel source:

# make install
make[1]: `arch/i386/kernel/asm-offsets.s' is up to date.
  CHK     include/linux/compile.h
Kernel: arch/i386/boot/bzImage is ready
sh /usr/local/linux-2.6/arch/i386/boot/install.sh 2.6.0-test6-selinux1
arch/i386/boot/bzImage System.map ""
No module advansys found for kernel 2.6.0-test6-selinux1
mkinitrd failed
make[1]: *** [install] Error 1
make: *** [install] Error 2
#

After finished make install, I also found the new kernel 2
.6.0-test6-selinux1 is populated in the /boot directory. I changed
/etc/lilo.conf to as follow:

prompt
timeout=50
default=linux
boot=/dev/hda
map=/boot/map
install=/boot/boot.b
message=/boot/message
linear
 
image=/boot/vmlinuz-2.6.0-test6-selinux1
        label=selinux2.6
        initrd=/boot/initrd-2.4.20-8.img
        read-only
        append="root=/dev/hda7"
Note, hda7 is my / partition.

Then I did a lilo -v, and reboot.
But new kernel caused panic.

What should I do to fix this problem? 


-----Original Message-----
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]
On Behalf Of Russell Coker
Sent: Wednesday, November 19, 2003 9:41 PM
To: samwun; 'SELinux ML'
Subject: Re: where to download LSM-patched 2.4

On Wed, 19 Nov 2003 23:23, "samwun" <samwun@hgcbroadband.com> wrote:
> Before I used LSM 2.4 selinux source, I encountered problem when I was
> trying to install SELinux.
> The problem is the SELinux kernel is able to loaded up after a reboot,
> but
> whenever issuing a command
> "ls --context" or whatever other SELinx related command options, it
> always
> said that the command ooptions needs SELinux kernel to support,  but I
> have

The most likely explanation for this is that the version of the SE Linux

kernel code and the version of the user-space code does not match.
There are 
two major versions of SE Linux in use, the old SE Linux has 52 system
calls 
multiplexed over the LSM system call.  The new SE Linux uses XATTR's and
file 
read/write operations on selinuxfs and /proc/pid/attr/*.  As the
operation of 
these versions of SE Linux is very different there are no programs that
can 
support both (it would be possible to write a program that supports
both, but 
no-one has done so).

Does /proc/filesystems have an entry for "selinuxfs"?  If so you are
running 
the kernel for the new SE Linux, if not then you are running the old SE 
Linux.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux
packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: where to download LSM-patched 2.4

[Russell Coker]

On Thu, 20 Nov 2003 14:49, "samwun" <samwun@hgcbroadband.com> wrote:
> I found that command "make install" failed in selinux 2.6 kernel source:
>
> # make install
> make[1]: `arch/i386/kernel/asm-offsets.s' is up to date.
>   CHK     include/linux/compile.h
> Kernel: arch/i386/boot/bzImage is ready
> sh /usr/local/linux-2.6/arch/i386/boot/install.sh 2.6.0-test6-selinux1
> arch/i386/boot/bzImage System.map ""
> No module advansys found for kernel 2.6.0-test6-selinux1

This is a problem with the kernel build proceedure not with SE Linux as such.  
Generally you want to follow the usual proceedures for building a kernel 
package for your OS but have the SE Linux options enabled.  This has been 
tested to work with both Debian and Red Hat kernel images.

I suggest that as a first step you build a kernel without SE Linux.  Once you 
get that working you can then move on to getting SE Linux working.  The 
changes from 2.4.20 to 2.6.0 are immense and you can expect your first 
attempt to not be successful regardles of SE Linux.

Probably the best thing to do is to ask for help at your local Linux Users 
Group.

> image=/boot/vmlinuz-2.6.0-test6-selinux1
>         label=selinux2.6
>         initrd=/boot/initrd-2.4.20-8.img

That would not work because a 2.6.0 kernel can not load modules from a 2.4.20 
kernel.  You have to create an initrd for 2.6.0-test6 or build a kernel that 
does not need an initrd.

Recently I have ceased using initrd's on my machines.  The range of hardware 
that I own is not large enough to justify an initrd so I just compile in 
every driver that may be needed for booting any of my machines.  It makes 
things a lot easier to manage.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: where to download LSM-patched 2.4

[Stephen Smalley]

On Wed, 2003-11-19 at 07:23, samwun wrote:
> Where can I download LSM-patched 2.4 for lsm-2.4-selinux-2003040709.tgz
> kernel source?

That was from the April 2003 release of the old LSM-based SELinux.  If
you want the last released code of the old LSM-based SELinux, you can
obtain it from http://www.nsa.gov/selinux/download1.html.  Aside from
certain historical versions, older releases are not provided on the NSA
site.

> The problem is the SELinux kernel is able to loaded up after a reboot,
> but
> whenever issuing a command
> "ls --context" or whatever other SELinx related command options, it
> always
> said that the command ooptions needs SELinux kernel to support,  but I
> have
> verified the /var/log/messages file and uname command telling the
> SELinux
> kernel is loaded successfully. What could be missing from my
> installation?

Failure to load an initial policy?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux with IPSec - something going on ?

[Sead Muftic]

Stanislas:

We (in the Computer Security Institute of GWU) have activated labeling
option of IPSec and used it by SELinux at the receiving end for RBAC.
We also worked out all necessary PT specifications, so we have the first
operational version of network security system based on combination
of IPSec + SELinux.

We are currently making the second round through this development in order
to make it easily installable.

Regards,

Sead Muftic
Research Director
CSPRI/GWU

------------------------------------------------------------------------

>after taking a look at the NSA site I wondered if any work has been made
>to integrate IPSec with SELinux.
>
>Is there any draft or specification on what has to be done exactly?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux with IPSec - something going on ?

[Park Lee]

[-- Attachment #1: Type: text/plain, Size: 539 bytes --]

On 2003-11-17 at 14:37 Stephen Smalley wrote:
 
>We have not done any work on integrating SELinux with IPSEC yet;
>at this point, such work would presumably be done based on the new
>Linux 2.6 IPSEC implementation.
 
Now, 11 months have passed, has any work been made to integrate IPSec with SELinux?
I also want to see if there is something I can do with it.
 
Thanks.


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 






		
---------------------------------
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.

[-- Attachment #2: Type: text/html, Size: 1022 bytes --]

Re: SELinux with IPSec - something going on ?

[Luke Kenneth Casson Leighton]

someone from ibm mentioned a few weeks back that they have been working
on IPsec.

On Sun, Oct 24, 2004 at 02:30:14AM -0700, Park Lee wrote:
> On 2003-11-17 at 14:37 Stephen Smalley wrote:
>  
> >We have not done any work on integrating SELinux with IPSEC yet;
> >at this point, such work would presumably be done based on the new
> >Linux 2.6 IPSEC implementation.
>  
> Now, 11 months have passed, has any work been made to integrate IPSec with SELinux?
> I also want to see if there is something I can do with it.
>  
> Thanks.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux with IPSec - something going on ?

[petre rodan]

[-- Attachment #1.1: Type: text/plain, Size: 760 bytes --]


Hi,

here is a fresh ipsec-tools [1] policy made for gentoo.
works flawlessly with my setup [2] (the doc is work in progress).

[1] http://ipsec-tools.sourceforge.net/
[2] http://dev.gentoo.org/~kaiowas/doc/wifi_ipsec-howto.html

is this usable for any of you?

bye,
peter

Park Lee wrote:
> On 2003-11-17 at 14:37 Stephen Smalley wrote:
>  
>  >We have not done any work on integrating SELinux with IPSEC yet;
>  >at this point, such work would presumably be done based on the new
>  >Linux 2.6 IPSEC implementation.
>  
> Now, 11 months have passed, has any work been made to integrate IPSec 
> with SELinux?
> I also want to see if there is something I can do with it.
>  
> Thanks.
> 

--
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #1.2: racoon.fc --]
[-- Type: text/plain, Size: 458 bytes --]


/etc/ipsec\.conf	--	system_u:object_r:setkey_conf_file_t
/etc/racoon(/.*)?		system_u:object_r:racoon_conf_file_t
/etc/racoon/certs(/.*)?		system_u:object_r:racoon_key_file_t
/etc/racoon/psk\.txt	--	system_u:object_r:racoon_key_file_t

/usr/sbin/racoon	--	system_u:object_r:racoon_exec_t
/usr/sbin/setkey	--	system_u:object_r:setkey_exec_t

/var/run/pluto\.ctl	-s	system_u:object_r:racoon_var_run_t
/var/run/racoon\.pid	--	system_u:object_r:racoon_var_run_t

[-- Attachment #1.3: racoon.te --]
[-- Type: text/plain, Size: 1168 bytes --]

#DESC ipsec-tools
#
# Author: petre rodan <kaiowas@gentoo.org>


daemon_base_domain(racoon, `, privlog')

type racoon_conf_file_t, file_type, sysadmfile;
type racoon_key_file_t, file_type, sysadmfile;

var_run_domain(racoon)
read_locale(racoon_t)
can_network(racoon_t)

allow racoon_t self:capability { net_admin net_bind_service };

r_dir_file(racoon_t, racoon_conf_file_t)
r_dir_file(racoon_t, racoon_key_file_t)


daemon_domain(setkey)

type setkey_conf_file_t, file_type, sysadmfile;


define(`setkey_domain', `

uses_shlib($1_t)
read_locale($1_t)

allow $1_t self:capability { net_admin };
allow $1_t setkey_conf_file_t:file r_file_perms;

') dnl end setkey_domain


define(`setkey_userdomain', `

# derived domain based on the calling user domain
type $1_setkey_t, domain;

domain_auto_trans($1_t, setkey_exec_t, $1_setkey_t)
role $1_r types $1_setkey_t;

setkey_domain($1_setkey)

# this is why there is a setkey_userdomain :)
allow $1_setkey_t { $1_tty_device_t $1_devpts_t }:chr_file { getattr read write };
allow $1_setkey_t privfd:fd use;
') dnl end setkey_userdomain


# one for initrc
setkey_domain(setkey)

# and one for sysadm
setkey_userdomain(sysadm)

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: SELinux with IPSec - something going on ?

[Stephen Smalley]

On Mon, 2004-10-25 at 11:51, petre rodan wrote:
> Hi,
> 
> here is a fresh ipsec-tools [1] policy made for gentoo.
> works flawlessly with my setup [2] (the doc is work in progress).
> 
> [1] http://ipsec-tools.sourceforge.net/
> [2] http://dev.gentoo.org/~kaiowas/doc/wifi_ipsec-howto.html
> 
> is this usable for any of you?

Thanks for making it available.  However, just to clarify, the original
question had to do with integration of SELinux and IPSEC for the purpose
of labeling and protecting network packets in accordance with security
policy, as was done in research predecessors of SELinux (Flask and
DTOS).  Trent is doing work in that area, as he noted.  That is
independent of providing policy for IPSEC userland components (which is
also certainly useful).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux with IPSec - something going on ?

[Stanislas Rusinsky]

I had to postpone my work so I ain't done much since
last year. At all events it is still on my 'wish
list'.

Stephen: in your mail to Alexis Wagner (subject: '
Re: network object',  12 Aug 2004) you say there was a
debate on implicit labeling vs. explicit labeling, has
ther been any conclusion to it ? 

Luke: The person at IBM was Trent Jaeger.

Stanislas.


	

	
		
Vous manquez d’espace pour stocker vos mails ? 
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux with IPSec - something going on ?

[Trent Jaeger]

[-- Attachment #1: Type: text/plain, Size: 1649 bytes --]

Hi,

Yes, we are working on integration of IPSec with SELinux.  Hope to have 
something for the community soon.

Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225




Stanislas Rusinsky <rusinskystanislas@yahoo.fr>
Sent by: owner-selinux@tycho.nsa.gov
10/25/2004 06:10 AM
 
        To:     Luke Kenneth Casson Leighton <lkcl@lkcl.net>
        cc:     SELinux ml <SELinux@tycho.nsa.gov>, Stephen Smalley 
<sds@epoch.ncsc.mil>, Park Lee <parklee_sel@yahoo.com>
        Subject:        Re: SELinux with IPSec - something going on ?


I had to postpone my work so I ain't done much since
last year. At all events it is still on my 'wish
list'.

Stephen: in your mail to Alexis Wagner (subject: '
Re: network object',  12 Aug 2004) you say there was a
debate on implicit labeling vs. explicit labeling, has
ther been any conclusion to it ?

Luke: The person at IBM was Trent Jaeger.

Stanislas.






Vous manquez d?espace pour stocker vos mails ?
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés 
pour dialoguer instantanément avec vos amis. A télécharger gratuitement 
sur http://fr.messenger.yahoo.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov 
with
the words "unsubscribe selinux" without quotes as the message.

[-- Attachment #2: Type: text/html, Size: 2806 bytes --]

Re: SELinux with IPSec - something going on ?

[Philip Leo]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=us-ascii, Size: 538 bytes --]

On Mon, 25 Oct 2004 at 10:59, Trent Jaeger wrote:
>Yes, we are working on integration of IPSec with SELinux.  Hope
>to have something for the community soon. 

Could you please tell us what Linux IPsec implementation you are using? Is it FreeS/WAN?
Is Fedora Core itself include an IPsec implementation? or does it use a third-party Linux IPsec implementation?


--
Best regards,
Philip Leo  <phlpleo@yahoo.com> 



				
---------------------------------
Do you Yahoo!?
 Yahoo! Mail – CNET Editors' Choice 2004.  Tell them what you think.

[-- Attachment #2: Type: text/html, Size: 868 bytes --]

Re: SELinux with IPSec - something going on ?

[Trent Jaeger]

[-- Attachment #1: Type: text/plain, Size: 1449 bytes --]

Sure.

Linux 2.6 implements IPSec via a xfrm (pronounced 'transform') subsystem 
(part of mainline kernel).

Basically, you can define 'protocols' that may transform packets upon 
receipt or prior to send.  IPSec protocols for transform packets using ah 
and esp are included in the kernel. 

We hook into the xfrm subsystem and/or use the xfrm data structures to 
leverage IPSec security associations.

Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225




Philip Leo <phlpleo@yahoo.com>
10/26/2004 11:04 AM
 
        To:     Trent Jaeger/Watson/IBM@IBMUS
        cc:     SELinux@tycho.nsa.gov, sds@epoch.ncsc.mil, lkcl@lkcl.net, 
rusinskystanislas@yahoo.fr, parklee_sel@yahoo.com
        Subject:        Re: SELinux with IPSec - something going on ?



On Mon, 25 Oct 2004 at 10:59, Trent Jaeger wrote:
>Yes, we are working on integration of IPSec with SELinux.  Hope
>to have something for the community soon. 
Could you please tell us what Linux IPsec implementation you are using? Is 
it FreeS/WAN?
Is Fedora Core itself include an IPsec implementation? or does it use a 
third-party Linux IPsec implementation?


--
Best regards,
Philip Leo  <phlpleo@yahoo.com> 


Do you Yahoo!?
Yahoo! Mail ? CNET Editors' Choice 2004.  Tell them what you think. 

[-- Attachment #2: Type: text/html, Size: 2816 bytes --]

Re: SELinux with IPSec - something going on ?

[Park Lee]

[-- Attachment #1: Type: text/plain, Size: 303 bytes --]

Hi Trent,
 
As I know that FreeS/WAN is no longer in active development. 
How about transfer to Openswan? Is it feasible?
 
Thanks,
 


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 






		
---------------------------------
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.

[-- Attachment #2: Type: text/html, Size: 747 bytes --]

Re: SELinux with IPSec - something going on ?

[Trent Jaeger]

[-- Attachment #1: Type: text/plain, Size: 841 bytes --]

As Openswan 2 uses the native IPSec implementation of the Linux kernel 
(although it can use others), my impression is that using Openswan should 
also be feasible.

Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225




Park Lee <parklee_sel@yahoo.com>
10/26/2004 01:35 PM
 
        To:     Trent Jaeger/Watson/IBM@IBMUS
        cc:     SELinux@tycho.nsa.gov
        Subject:        Re: SELinux with IPSec - something going on ?



Hi Trent,
 
As I know that FreeS/WAN is no longer in active development. 
How about transfer to Openswan? Is it feasible?
 
Thanks,
 


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 


Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish. 

[-- Attachment #2: Type: text/html, Size: 2228 bytes --]

Re: SELinux with IPSec - something going on ?

[Park Lee]

[-- Attachment #1: Type: text/plain, Size: 658 bytes --]

Hi Trent,
 
on Tue, 26 Oct 2004 at 14:01, you wrote:
>As Openswan 2 uses the native IPSec implementation of the Linux 
>kernel (although it can use others), my impression is that using 
>Openswan should also be feasible. 


In addition to Openswan, there are other IPsec userland tools such as IPsec-Tools. Then, if we use the native IPsec implementation of the Linux kernel plus IPsec-Tools, Do you think it is feasible too?
 
Thanks again.
 


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 






__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

[-- Attachment #2: Type: text/html, Size: 1288 bytes --]

Re: SELinux with IPSec - something going on ?

[Trent Jaeger]

[-- Attachment #1: Type: text/plain, Size: 1352 bytes --]

We use IPSec Tools -- right now, some modest changes in userland tools 
indicate the sid of the security association.  Maybe this can be done 
another way, like relabeling files, so perhaps no userland changes are 
necessary at all.  Different userland tools should not be a big deal.

Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225




Park Lee <parklee_sel@yahoo.com>
10/28/2004 12:40 PM
 
        To:     Trent Jaeger/Watson/IBM@IBMUS
        cc:     SELinux@tycho.nsa.gov
        Subject:        Re: SELinux with IPSec - something going on ?



Hi Trent,
 
on Tue, 26 Oct 2004 at 14:01, you wrote:

>As Openswan 2 uses the native IPSec implementation of the Linux 
>kernel (although it can use others), my impression is that using 
>Openswan should also be feasible. 
In addition to Openswan, there are other IPsec userland tools such as 
IPsec-Tools. Then, if we use the native IPsec implementation of the Linux 
kernel plus IPsec-Tools, Do you think it is feasible too?
 
Thanks again.
 


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

[-- Attachment #2: Type: text/html, Size: 2811 bytes --]

Re: SELinux with IPSec - something going on ?

[Philip Leo]

[-- Attachment #1: Type: text/plain, Size: 584 bytes --]

On Tue, 26 Oct 2004 at 14:01, Trent Jaeger wrote:
 
>As Openswan 2 uses the native IPSec implementation of the Linux
>kernel (although it can use others), my impression is that using 
>Openswan should also be feasible. 

Since there is already a native IPSec implementation in the Linux kernel, can we use it directly? why should we still use other Linux IPsec implementations such as Openswan, FreeS/WAN,etc ?
 
Thanks



--
Best regards,
Philip Leo  <phlpleo@yahoo.com> 



		
---------------------------------
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.

[-- Attachment #2: Type: text/html, Size: 1010 bytes --]

Re: SELinux with IPSec - something going on ?

[Park Lee]

[-- Attachment #1: Type: text/plain, Size: 446 bytes --]

Hi,
 
I also intend to do some work on Integrating IPSEC with network mandatory controls. I'd like to know how many parts this work may include? what these parts respectively are? and what about the workload for doing it?
 
Thanks.


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 






__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

[-- Attachment #2: Type: text/html, Size: 823 bytes --]

Re: SELinux with IPSec - something going on ?

[Trent Jaeger]

[-- Attachment #1: Type: text/plain, Size: 1175 bytes --]

Hi,

There are kernel and user-space parts, and the user-space parts may differ 
depend on infrastructure (we use ipsec-tools). 

We have submitted some kernel network control integrated with SELinux to 
Stephen and James Morris, and we are addressing comments.  Plan to revise 
soon -- then we can discuss further work.

Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225




Park Lee <parklee_sel@yahoo.com>
11/05/2004 04:04 AM
 
        To:     selinux@tycho.nsa.gov, Trent Jaeger/Watson/IBM@IBMUS
        cc: 
        Subject:        Re: SELinux with IPSec - something going on ?



Hi,
 
I also intend to do some work on Integrating IPSEC with network mandatory 
controls. I'd like to know how many parts this work may include? what 
these parts respectively are? and what about the workload for doing it?
 
Thanks.


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

[-- Attachment #2: Type: text/html, Size: 2559 bytes --]

Re: SELinux with IPSec - something going on ?

[Park Lee]

[-- Attachment #1: Type: text/plain, Size: 902 bytes --]

On Tue, 26 Oct 2004 at 11:23, Trent Jaeger wrote:
>Linux 2.6 implements IPSec via a xfrm (pronounced 'transform') 
>subsystem (part of mainline kernel). 
>Basically, you can define 'protocols' that may transform packets upon 
>receipt or prior to send.  IPSec protocols for transform packets using 
>ah and esp are included in the kernel.   
>We hook into the xfrm subsystem and/or use the xfrm data structures 
>to leverage IPSec security associations.
 
I've search 'xfrm' through google, but I wouldn't find much usefull stuff about xfrm. would you please give me some hints on where can I find more information about xfrm ( such as the descriptions of  structures or functions of xfrm, its principles, etc.)
 
Thank you very much.
 


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 






			
---------------------------------
Do you Yahoo!?
 Check out the new Yahoo! Front Page. www.yahoo.com

[-- Attachment #2: Type: text/html, Size: 1396 bytes --]

Re: SELinux with IPSec - something going on ?

[Trent Jaeger]

[-- Attachment #1: Type: text/plain, Size: 1518 bytes --]

Hi,

The xfrm code is based on the USAGI work: http://www.linux-ipv6.org/

Here is a paper on the work: 
http://hiroshi1.hongo.wide.ad.jp/hiroshi/papers/SAINT2004_kanda-ipsec.pdf

Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225




Park Lee <parklee_sel@yahoo.com>
Sent by: owner-selinux@tycho.nsa.gov
11/07/2004 01:33 PM
 
        To:     Trent Jaeger/Watson/IBM@IBMUS
        cc:     jmorris@intercode.com.au, SELinux@tycho.nsa.gov
        Subject:        Re: SELinux with IPSec - something going on ?



On Tue, 26 Oct 2004 at 11:23, Trent Jaeger wrote:
>Linux 2.6 implements IPSec via a xfrm (pronounced 'transform') 
>subsystem (part of mainline kernel). 
>Basically, you can define 'protocols' that may transform packets upon 
>receipt or prior to send.  IPSec protocols for transform packets using 
>ah and esp are included in the kernel.   
>We hook into the xfrm subsystem and/or use the xfrm data structures 
>to leverage IPSec security associations.
 
I've search 'xfrm' through google, but I wouldn't find much usefull stuff 
about xfrm. would you please give me some hints on where can I find more 
information about xfrm ( such as the descriptions of  structures or 
functions of xfrm, its principles, etc.)
 
Thank you very much.
 


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 


Do you Yahoo!?
Check out the new Yahoo! Front Page. www.yahoo.com 

[-- Attachment #2: Type: text/html, Size: 3411 bytes --]

Re: SELinux with IPSec - something going on ?

[Trent Jaeger]

[-- Attachment #1: Type: text/plain, Size: 1440 bytes --]

Also this paper from the Linux Symposium: 
http://www.finux.org/Reprints/Reprint-Miyazawa-OLS2004.pdf
Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225




Park Lee <parklee_sel@yahoo.com>
Sent by: owner-selinux@tycho.nsa.gov
11/07/2004 01:33 PM
 
        To:     Trent Jaeger/Watson/IBM@IBMUS
        cc:     jmorris@intercode.com.au, SELinux@tycho.nsa.gov
        Subject:        Re: SELinux with IPSec - something going on ?



On Tue, 26 Oct 2004 at 11:23, Trent Jaeger wrote:
>Linux 2.6 implements IPSec via a xfrm (pronounced 'transform') 
>subsystem (part of mainline kernel). 
>Basically, you can define 'protocols' that may transform packets upon 
>receipt or prior to send.  IPSec protocols for transform packets using 
>ah and esp are included in the kernel.   
>We hook into the xfrm subsystem and/or use the xfrm data structures 
>to leverage IPSec security associations.
 
I've search 'xfrm' through google, but I wouldn't find much usefull stuff 
about xfrm. would you please give me some hints on where can I find more 
information about xfrm ( such as the descriptions of  structures or 
functions of xfrm, its principles, etc.)
 
Thank you very much.
 


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 


Do you Yahoo!?
Check out the new Yahoo! Front Page. www.yahoo.com 

[-- Attachment #2: Type: text/html, Size: 3143 bytes --]

Re: SELinux with IPSec - something going on ?

[Park Lee]

[-- Attachment #1: Type: text/plain, Size: 715 bytes --]

On  Tue, 26 Oct 2004 at 11:23, Trent Jaeger wrote:
> We hook into the xfrm subsystem and/or use the xfrm data 
> structures to leverage IPSec security associations.
 
Then, what items should we add to IPsec security association? Is it still ( source socket security context, destination socket security context, packet security context ) tuple as described in IMPLEMENTING MANDATORY NETWORK SECURITY IN A POLICY-FLEXIBLE SYSTEM (http://www.cs.utah.edu/flux/papers/ajay-thesis-abs.html) .
 
Thank you.


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 






__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

[-- Attachment #2: Type: text/html, Size: 1165 bytes --]

Re: SELinux with IPSec - something going on ?

[Trent Jaeger]

[-- Attachment #1: Type: text/plain, Size: 1339 bytes --]

Hi,

Yes, this is the same idea.

We add the packet security context to the xfrm_state structure (sa) and 
authorize the socket's ability to send/receive these contexts to achieve 
the tuple.

Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225




Park Lee <parklee_sel@yahoo.com>
11/10/2004 09:45 PM
 
        To:     Trent Jaeger/Watson/IBM@IBMUS
        cc:     sds@epoch.ncsc.mil, SELinux@tycho.nsa.gov
        Subject:        Re: SELinux with IPSec - something going on ?



On  Tue, 26 Oct 2004 at 11:23, Trent Jaeger wrote:
> We hook into the xfrm subsystem and/or use the xfrm data 
> structures to leverage IPSec security associations.
 
Then, what items should we add to IPsec security association? Is it still 
( source socket security context, destination socket security context, 
packet security context ) tuple as described in IMPLEMENTING MANDATORY 
NETWORK SECURITY IN A POLICY-FLEXIBLE SYSTEM (
http://www.cs.utah.edu/flux/papers/ajay-thesis-abs.html) .
 
Thank you.


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

[-- Attachment #2: Type: text/html, Size: 2869 bytes --]

Re: SELinux with IPSec - something going on ?

[Park Lee]

[-- Attachment #1: Type: text/plain, Size: 1384 bytes --]

On Wed, 10 Nov 2004 at 22:00, Trent Jaeger wrote:
> Yes, this is the same idea. 
>
> We add the packet security context to the xfrm_state structure 
> (sa) and authorize the socket's ability to send/receive these 
> contexts to achieve the tuple. 

Thanks,
Do you only add packet security context to SA? 
 
But, On Tue, 09 Nov 2004 at 10:39, Mr. Stephen Smalley sds@epoch.ncsc.mil  wrote in the letter "Re: Issue on getting security context of socket and message " :
>  Remember that most of the LSM networking security fields and 
> hooks were rejected by the mainline kernel, so only limited
> support exists in the current SELinux and there is no message 
> labeling at all.
 
Then, Is SELinux now really support the packet security context for packet ? 
If it support, where could we store the packet security context, when it is associated with a package ? In the package itself ?   
And, as for the ( source socket security context, destination socket security context, packet security context ) tuple, we can obtain the security context of a socket via the security field of its associated inode. but how can we decide on the destination socket security context and the packet security context ?
 
Thanks a lot,


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 






			
---------------------------------
Do you Yahoo!?
 Check out the new Yahoo! Front Page. www.yahoo.com

[-- Attachment #2: Type: text/html, Size: 2347 bytes --]

Re: SELinux with IPSec - something going on ?

[Park Lee]

On 2004-10-25 at 15:51, petre rodan wrote:
> Hi,
> here is a fresh ipsec-tools [1] policy made for 
> gentoo. works flawlessly with my setup [2] (the doc 
> is work in progress).
> 
> [1] http://ipsec-tools.sourceforge.net/
> [2] http://dev.gentoo.org/~kaiowas/doc/wifi_ipsec-
> howto.html
>
> is this usable for any of you?

In racoon.fc, you wrote:

  ... ...
/var/run/pluto\.ctl	-s
system_u:object_r:racoon_var_run_t
  ... ...

But, when we use IPsec-Tools, it seems that there is
no such a file (i.e. /var/run/pluto.ctl). Then, Why
should we write this rule for it?

Thank you.





=====
Best Regards,
Park Lee


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Helps protect you from nasty viruses. 
http://promotions.yahoo.com/new_mail

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux with IPSec - something going on ?

[petre rodan]

[-- Attachment #1: Type: text/plain, Size: 794 bytes --]


Hi,

Park Lee wrote:
> On 2004-10-25 at 15:51, petre rodan wrote:
>
>>Hi,
>>here is a fresh ipsec-tools [1] policy made for
>>gentoo. works flawlessly with my setup [2] (the doc
>>is work in progress).
>>
>>[1] http://ipsec-tools.sourceforge.net/
>>[2] http://dev.gentoo.org/~kaiowas/doc/wifi_ipsec-
>>howto.html
>>
>>is this usable for any of you?
>
>
> In racoon.fc, you wrote:
>
>   ... ...
> /var/run/pluto\.ctl	-s
> system_u:object_r:racoon_var_run_t
>   ... ...
>
> But, when we use IPsec-Tools, it seems that there is
> no such a file (i.e. /var/run/pluto.ctl). Then, Why
> should we write this rule for it?

you are correct, that rule should be removed.
it's a leftover from the prior implementation

thanks,
peter

--
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]