Question about SELinux capability

Question about SELinux capability

[Moyer, Thomas - 0668 - MITLL]

[-- Attachment #1.1: Type: text/plain, Size: 459 bytes --]

I am working with a piece of embedded hardware that uses raw ethernet frames
to communicate with another (standard PC). Is it possible to apply SELinux
labels to those ethernet frames like you can with IP packets using iptables
and SECMARK?

Thanks!

-Tom

-- 
Thomas Moyer, Technical Staff voice: (781) 981-1374
Cyber Systems Technology Group mobile: (857) 268-0493
MIT Lincoln Laboratory email: thomas.moyer@ll.mit.edu
244 Wood Street
Lexington, MA 02420



[-- Attachment #1.2: Type: text/html, Size: 1105 bytes --]

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5142 bytes --]

Re: Question about SELinux capability

[Paul Moore]

On Friday, October 26, 2012 04:08:15 PM Moyer, Thomas - 0668 - MITLL wrote:
> I am working with a piece of embedded hardware that uses raw ethernet frames
> to communicate with another (standard PC). Is it possible to apply SELinux
> labels to those ethernet frames like you can with IP packets using iptables
> and SECMARK?

The secmark/iptables labels never leave the local system, they are maintained 
only within the kernel and do not travel out over the wire.  If you are 
interested in communicating security label over the network your only options 
at present require an IP header at the very least.

-- 
paul moore
www.paul-moore.com


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Question about SELinux capability

[Moyer, Thomas - 0668 - MITLL]

[-- Attachment #1: Type: text/plain, Size: 1657 bytes --]

Yes. That is correct. What I am looking at though is a piece of hardware
that does not use IP (or TCP and UDP for that matter). Instead, they
implement their own protocol at the IP layer. So any traffic coming from
the hardware (to the system that I am writing policy for) and any traffic
being sent to that machine uses a raw socket to communicate (no IP at
all). I briefly looked at ebtables, but it doesn't appear to have the same
type of SECMARK support that I would use with iptables.

I think the best solution that I have come up with is to label the network
interface used to communicate with the hardware, and then only allow the
domain being confined to create sockets and bind to that interface.

-Tom

-- 
Thomas Moyer, Technical Staff		voice: (781) 981-1374
Cyber Systems Technology Group		mobile: (857) 268-0493
MIT Lincoln Laboratory				email: thomas.moyer@ll.mit.edu
244 Wood Street
Lexington, MA 02420







On 10/30/12 6:39 PM, "Paul Moore" <paul@paul-moore.com> wrote:

>On Friday, October 26, 2012 04:08:15 PM Moyer, Thomas - 0668 - MITLL
>wrote:
>> I am working with a piece of embedded hardware that uses raw ethernet
>>frames
>> to communicate with another (standard PC). Is it possible to apply
>>SELinux
>> labels to those ethernet frames like you can with IP packets using
>>iptables
>> and SECMARK?
>
>The secmark/iptables labels never leave the local system, they are
>maintained 
>only within the kernel and do not travel out over the wire.  If you are
>interested in communicating security label over the network your only
>options 
>at present require an IP header at the very least.
>
>-- 
>paul moore
>www.paul-moore.com
>

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5142 bytes --]

Re: Question about SELinux capability

[Paul Moore]

On Wednesday, October 31, 2012 08:24:21 AM Moyer, Thomas - 0668 - MITLL wrote:
> Yes. That is correct. What I am looking at though is a piece of hardware
> that does not use IP (or TCP and UDP for that matter). Instead, they
> implement their own protocol at the IP layer. So any traffic coming from
> the hardware (to the system that I am writing policy for) and any traffic
> being sent to that machine uses a raw socket to communicate (no IP at
> all). I briefly looked at ebtables, but it doesn't appear to have the same
> type of SECMARK support that I would use with iptables.

I think I misunderstood your original question; I thought you were interested 
in labeling the ethernet frames on the wire while it sounds like you are only 
interested in assigning labels to the network traffic once it has been 
received by the system - yes?

> I think the best solution that I have come up with is to label the network
> interface used to communicate with the hardware, and then only allow the
> domain being confined to create sockets and bind to that interface.

I assume you are talking about the ingress/egress controls?

If so, a word of caution, they *may* not catch non-IP traffic due to they way 
they are hooked into the network stack.  I'd be interested in hearing what 
happens in your case.

> >On Friday, October 26, 2012 04:08:15 PM Moyer, Thomas - 0668 - MITLL
> >
> >wrote:
> >> I am working with a piece of embedded hardware that uses raw ethernet
> >> frames to communicate with another (standard PC). Is it possible to apply
> >> SELinux labels to those ethernet frames like you can with IP packets
> >> using iptables and SECMARK?
> >
> >The secmark/iptables labels never leave the local system, they are
> >maintained only within the kernel and do not travel out over the wire.  If
> >you are interested in communicating security label over the network your
> >only options at present require an IP header at the very least.

-- 
paul moore
www.paul-moore.com


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Question about SELinux capability

[Bryan Hinton]

Thomas,
You had mentioned that you are working with a piece of embedded hardware that uses raw ethernet frames to communicate with another PC.
I had a few questions to better understand the problem.
Are you manually packing the MAC destination and MAC source address in the ethernet frame?
Are you restricted to a specific medium - i.e. ethernet cable?
Which embedded Linux distribution are you working with and which version of the Linux kernel are you working with?
Have you explored the MAC filtering capabilities in iptables?
Am I correct in assuming that you are trying to dynamically filter MAC addresses?  
If not, what parameters constitute a raw ethernet frame that should get labeled?

Also, labeling the network interface per prior suggestions sounds like a good idea but was curious regarding the above questions.

Bryan Hinton

________________________________________
From: owner-selinux@tycho.nsa.gov [owner-selinux@tycho.nsa.gov] on behalf of Paul Moore [paul@paul-moore.com]
Sent: Thursday, November 01, 2012 8:58 AM
To: Moyer, Thomas - 0668 - MITLL
Cc: selinux@tycho.nsa.gov
Subject: Re: Question about SELinux capability

On Wednesday, October 31, 2012 08:24:21 AM Moyer, Thomas - 0668 - MITLL wrote:
> Yes. That is correct. What I am looking at though is a piece of hardware
> that does not use IP (or TCP and UDP for that matter). Instead, they
> implement their own protocol at the IP layer. So any traffic coming from
> the hardware (to the system that I am writing policy for) and any traffic
> being sent to that machine uses a raw socket to communicate (no IP at
> all). I briefly looked at ebtables, but it doesn't appear to have the same
> type of SECMARK support that I would use with iptables.

I think I misunderstood your original question; I thought you were interested
in labeling the ethernet frames on the wire while it sounds like you are only
interested in assigning labels to the network traffic once it has been
received by the system - yes?

> I think the best solution that I have come up with is to label the network
> interface used to communicate with the hardware, and then only allow the
> domain being confined to create sockets and bind to that interface.

I assume you are talking about the ingress/egress controls?

If so, a word of caution, they *may* not catch non-IP traffic due to they way
they are hooked into the network stack.  I'd be interested in hearing what
happens in your case.

> >On Friday, October 26, 2012 04:08:15 PM Moyer, Thomas - 0668 - MITLL
> >
> >wrote:
> >> I am working with a piece of embedded hardware that uses raw ethernet
> >> frames to communicate with another (standard PC). Is it possible to apply
> >> SELinux labels to those ethernet frames like you can with IP packets
> >> using iptables and SECMARK?
> >
> >The secmark/iptables labels never leave the local system, they are
> >maintained only within the kernel and do not travel out over the wire.  If
> >you are interested in communicating security label over the network your
> >only options at present require an IP header at the very least.

--
paul moore
www.paul-moore.com


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Question about SELinux capability

[Moyer, Thomas - 0668 - MITLL]

[-- Attachment #1: Type: text/plain, Size: 2556 bytes --]

On 11/1/12 11:58 AM, "Paul Moore" <paul@paul-moore.com> wrote:


>On Wednesday, October 31, 2012 08:24:21 AM Moyer, Thomas - 0668 - MITLL
>wrote:
>> Yes. That is correct. What I am looking at though is a piece of hardware
>> that does not use IP (or TCP and UDP for that matter). Instead, they
>> implement their own protocol at the IP layer. So any traffic coming from
>> the hardware (to the system that I am writing policy for) and any
>>traffic
>> being sent to that machine uses a raw socket to communicate (no IP at
>> all). I briefly looked at ebtables, but it doesn't appear to have the
>>same
>> type of SECMARK support that I would use with iptables.
>
>I think I misunderstood your original question; I thought you were
>interested 
>in labeling the ethernet frames on the wire while it sounds like you are
>only 
>interested in assigning labels to the network traffic once it has been
>received by the system - yes?

Correct.

>
>> I think the best solution that I have come up with is to label the
>>network
>> interface used to communicate with the hardware, and then only allow the
>> domain being confined to create sockets and bind to that interface.
>
>I assume you are talking about the ingress/egress controls?

Also correct.

>
>If so, a word of caution, they *may* not catch non-IP traffic due to they
>way 
>they are hooked into the network stack.  I'd be interested in hearing
>what 
>happens in your case.

We are trying to ensure that only specific applications running on the
system can communicate with the embedded hardware. One way to do this is
to filter network traffic. At least the "easiest" that I could identify.

>
>> >On Friday, October 26, 2012 04:08:15 PM Moyer, Thomas - 0668 - MITLL
>> >
>> >wrote:
>> >> I am working with a piece of embedded hardware that uses raw ethernet
>> >> frames to communicate with another (standard PC). Is it possible to
>>apply
>> >> SELinux labels to those ethernet frames like you can with IP packets
>> >> using iptables and SECMARK?
>> >
>> >The secmark/iptables labels never leave the local system, they are
>> >maintained only within the kernel and do not travel out over the wire.
>> If
>> >you are interested in communicating security label over the network
>>your
>> >only options at present require an IP header at the very least.
>
>-- 
>paul moore
>www.paul-moore.com
>
-- 
Thomas Moyer, Technical Staff	voice: (781) 981-1374
Cyber Systems Technology Group		mobile: (857) 268-0493
MIT Lincoln Laboratory			email: thomas.moyer@ll.mit.edu
244 Wood Street
Lexington, MA 02420

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5142 bytes --]

Re: Question about SELinux capability

[Moyer, Thomas - 0668 - MITLL]

[-- Attachment #1: Type: text/plain, Size: 5042 bytes --]


On 11/1/12 1:03 PM, "Bryan Hinton" <bryan@bryanhinton.com> wrote:

>Thomas,
>You had mentioned that you are working with a piece of embedded hardware
>that uses raw ethernet frames to communicate with another PC.
>I had a few questions to better understand the problem.
>Are you manually packing the MAC destination and MAC source address in
>the ethernet frame?

There is a library that is provided to us that handles the communication.
I believe the library constructs the ethernet frame manually, including
the MAC addresses.

>Are you restricted to a specific medium - i.e. ethernet cable?

Yes. The hardware dictates this. We do have the guarantee that the
interface is direct connection between the PC and the embedded hardware.

>Which embedded Linux distribution are you working with and which version
>of the Linux kernel are you working with?

The PC runs Red Hat Enterprise Linux 6. The OS on the other side is not
known (to me). It is treated as a black box.

>Have you explored the MAC filtering capabilities in iptables?

I didn't think that iptables would actually be involved since the ethernet
frames have no IP header in them.

>Am I correct in assuming that you are trying to dynamically filter MAC
>addresses?  

Not sure what is meant by the above. The goal is to limit what
applications running on the system can communicate with the embedded
hardware connected to the system.

>If not, what parameters constitute a raw ethernet frame that should get
>labeled?

As above, I'm not sure I follow the question. I think the shortest answer
I can provide is that this hardware has a protocol that is used in place
of IP, and we need to do some filtering to enforce the security property
outlined above (only application X can communicate with the hardware).

>
>Also, labeling the network interface per prior suggestions sounds like a
>good idea but was curious regarding the above questions.

I think that is the route we have decided on. On the off chance that we
test out the connection and iptables will actually identify the traffic, I
might consider that, but given the other constraints (e.g. The connection
is a dedicated connection between the system and the embedded device) I
think the interface labeling will work fine.

>
>Bryan Hinton
>
>________________________________________
>From: owner-selinux@tycho.nsa.gov [owner-selinux@tycho.nsa.gov] on behalf
>of Paul Moore [paul@paul-moore.com]
>Sent: Thursday, November 01, 2012 8:58 AM
>To: Moyer, Thomas - 0668 - MITLL
>Cc: selinux@tycho.nsa.gov
>Subject: Re: Question about SELinux capability
>
>On Wednesday, October 31, 2012 08:24:21 AM Moyer, Thomas - 0668 - MITLL
>wrote:
>> Yes. That is correct. What I am looking at though is a piece of hardware
>> that does not use IP (or TCP and UDP for that matter). Instead, they
>> implement their own protocol at the IP layer. So any traffic coming from
>> the hardware (to the system that I am writing policy for) and any
>>traffic
>> being sent to that machine uses a raw socket to communicate (no IP at
>> all). I briefly looked at ebtables, but it doesn't appear to have the
>>same
>> type of SECMARK support that I would use with iptables.
>
>I think I misunderstood your original question; I thought you were
>interested
>in labeling the ethernet frames on the wire while it sounds like you are
>only
>interested in assigning labels to the network traffic once it has been
>received by the system - yes?
>
>> I think the best solution that I have come up with is to label the
>>network
>> interface used to communicate with the hardware, and then only allow the
>> domain being confined to create sockets and bind to that interface.
>
>I assume you are talking about the ingress/egress controls?
>
>If so, a word of caution, they *may* not catch non-IP traffic due to they
>way
>they are hooked into the network stack.  I'd be interested in hearing what
>happens in your case.
>
>> >On Friday, October 26, 2012 04:08:15 PM Moyer, Thomas - 0668 - MITLL
>> >
>> >wrote:
>> >> I am working with a piece of embedded hardware that uses raw ethernet
>> >> frames to communicate with another (standard PC). Is it possible to
>>apply
>> >> SELinux labels to those ethernet frames like you can with IP packets
>> >> using iptables and SECMARK?
>> >
>> >The secmark/iptables labels never leave the local system, they are
>> >maintained only within the kernel and do not travel out over the wire.
>> If
>> >you are interested in communicating security label over the network
>>your
>> >only options at present require an IP header at the very least.
>
>--
>paul moore
>www.paul-moore.com
>
>
>--
>This message was distributed to subscribers of the selinux mailing list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>with
>the words "unsubscribe selinux" without quotes as the message.
>
>
-- 
Thomas Moyer, Technical Staff	voice: (781) 981-1374
Cyber Systems Technology Group	mobile: (857) 268-0493
MIT Lincoln Laboratory		email: thomas.moyer@ll.mit.edu
244 Wood Street
Lexington, MA 02420

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5142 bytes --]

RE: Question about SELinux capability

[Bryan Hinton]

Thomas,
   You mentioned below that you are trying to ensure that only specific applications running on the system can communicate with the embedded hardware.
What type of bus and/or driver are being used to connect the system and the embedded hardware?

Bryan Hinton

________________________________________
From: owner-selinux@tycho.nsa.gov [owner-selinux@tycho.nsa.gov] on behalf of Moyer, Thomas - 0668 - MITLL [thomas.moyer@ll.mit.edu]
Sent: Thursday, November 01, 2012 10:09 AM
To: Paul Moore
Cc: selinux@tycho.nsa.gov
Subject: Re: Question about SELinux capability

On 11/1/12 11:58 AM, "Paul Moore" <paul@paul-moore.com> wrote:


>On Wednesday, October 31, 2012 08:24:21 AM Moyer, Thomas - 0668 - MITLL
>wrote:
>> Yes. That is correct. What I am looking at though is a piece of hardware
>> that does not use IP (or TCP and UDP for that matter). Instead, they
>> implement their own protocol at the IP layer. So any traffic coming from
>> the hardware (to the system that I am writing policy for) and any
>>traffic
>> being sent to that machine uses a raw socket to communicate (no IP at
>> all). I briefly looked at ebtables, but it doesn't appear to have the
>>same
>> type of SECMARK support that I would use with iptables.
>
>I think I misunderstood your original question; I thought you were
>interested
>in labeling the ethernet frames on the wire while it sounds like you are
>only
>interested in assigning labels to the network traffic once it has been
>received by the system - yes?

Correct.

>
>> I think the best solution that I have come up with is to label the
>>network
>> interface used to communicate with the hardware, and then only allow the
>> domain being confined to create sockets and bind to that interface.
>
>I assume you are talking about the ingress/egress controls?

Also correct.

>
>If so, a word of caution, they *may* not catch non-IP traffic due to they
>way
>they are hooked into the network stack.  I'd be interested in hearing
>what
>happens in your case.

We are trying to ensure that only specific applications running on the
system can communicate with the embedded hardware. One way to do this is
to filter network traffic. At least the "easiest" that I could identify.

>
>> >On Friday, October 26, 2012 04:08:15 PM Moyer, Thomas - 0668 - MITLL
>> >
>> >wrote:
>> >> I am working with a piece of embedded hardware that uses raw ethernet
>> >> frames to communicate with another (standard PC). Is it possible to
>>apply
>> >> SELinux labels to those ethernet frames like you can with IP packets
>> >> using iptables and SECMARK?
>> >
>> >The secmark/iptables labels never leave the local system, they are
>> >maintained only within the kernel and do not travel out over the wire.
>> If
>> >you are interested in communicating security label over the network
>>your
>> >only options at present require an IP header at the very least.
>
>--
>paul moore
>www.paul-moore.com
>
--
Thomas Moyer, Technical Staff   voice: (781) 981-1374
Cyber Systems Technology Group          mobile: (857) 268-0493
MIT Lincoln Laboratory                  email: thomas.moyer@ll.mit.edu
244 Wood Street
Lexington, MA 02420


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.