Re: [PATCH] Version 7 (2.6.23) Smack: Simplified Mandatory Access Control Kernel

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Ahmed S. Darwish" <darwish.07@gmail.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: torvalds@osdl.org, akpm@osdl.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Version 7 (2.6.23) Smack: Simplified Mandatory Access Control Kernel
Date: Mon, 15 Oct 2007 01:13:58 +0200	[thread overview]
Message-ID: <20071014231358.GA5565@Ahmed> (raw)
In-Reply-To: <47124EBE.5090303@schaufler-ca.com>

Hi Casey,

On Sun, Oct 14, 2007 at 10:15:42AM -0700, Casey Schaufler wrote:
> 
> +
> +CIPSO Configuration
> +
> +It is normally unnecessary to specify the CIPSO configuration. The default
> +values used by the system handle all internal cases. Smack will compose CIPSO
> +label values to match the Smack labels being used without administrative
> +intervention. 
>

I have two issues with CIPSO and Smack:

1-

Using default configuration (system startup script + smacfs fstab line), system
can't access any service outside the Lan. "ICMP parameter problem message" always
appear from the first Wan router (traceroute + tcpdump at [1]).

Services inside the LAN can be accessed normally. System can connect to a Lan
Windows share. It also connects to the gateway HTTP server easily.

After some tweaking, I discovered that using CIPSOv6 solves all above problems:
$ echo -n "NLBL_CIPSOv6" > /smack/nltype

Is this a normal behaviour ?

2-

> 4. Any access requested on an object labeled "*" is permitted.
[...]
> +Unlabeled packets that come into the system will be given the
> +ambient label.

Default conf let the ambient attribute = _ which works fine. Setting ambient = *
stops all external (non lo) network traffic. Did I miss another use of "ambient"
or this is a normal behaviour ?.

> +Administration
> +
> +Smack supports some mount options:
> +
> +	smackfsdef=label: specifies the label to give files that lack
> +	the Smack label extended attribute.
> +

Although using smackfsdef=* as a mount option, all my system files have the floor
attribute. Most of the /dev files have the * attribute though.


[1]

traceroute to google.com (64.233.187.99), 30 hops max, 40 byte packets
 1  host-196.218.207.17.tedata.net (196.218.207.17)  1.976 ms  1.850 ms  2.127 ms
 2  DOKKI-R03C-GZ-EG (163.121.170.78)  27.429 ms  28.091 ms  23.336 ms

Here's the tcpdump for accessing google.com:

22:51:26.008883 IP host-196.218.207.18.tedata.net.54011 > host-196.218.207.17.tedata.net.domain:  11001+ A? google.com. (28)
22:51:26.011066 IP host-196.218.207.18.tedata.net.45317 > host-196.218.207.17.tedata.net.domain:  44913+[|domain]
22:51:26.052154 IP host-196.218.207.17.tedata.net.domain > host-196.218.207.18.tedata.net.54011:  11001 3/0/0 A py-in-f99.google.com,[|domain]
22:51:26.052700 IP host-196.218.207.18.tedata.net.57180 > py-in-f99.google.com.www: S 282373541:282373541(0) win 5840 <mss 1460,sackOK,timestamp 741383 0,nop,wscale 5>
22:51:26.090608 IP host-196.218.207.17.tedata.net.domain > host-196.218.207.18.tedata.net.45317:  44913 1/0/0 (89)
22:51:26.091473 IP host-196.218.207.18.tedata.net.34417 > host-196.218.207.17.tedata.net.domain:  49202+[|domain]
--> 22:51:26.105443 IP DOKKI-R03C-GZ-EG > host-196.218.207.18.tedata.net: ICMP parameter problem - octet 20, length 48

Best Regards,

-- 
Ahmed S. Darwish
HomePage: http://darwish.07.googlepages.com
Blog: http://darwish-07.blogspot.com

next prev parent reply	other threads:[~2007-10-14 23:14 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-10-14 17:15 [PATCH] Version 7 (2.6.23) Smack: Simplified Mandatory Access Control Kernel Casey Schaufler
2007-10-14 17:34 ` Al Viro
2007-10-14 17:56   ` Casey Schaufler
2007-10-14 23:13 ` Ahmed S. Darwish [this message]
2007-10-15  3:30   ` Casey Schaufler
2007-10-15 15:12     ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20071014231358.GA5565@Ahmed \
    --to=darwish.07@gmail.com \
    --cc=akpm@osdl.org \
    --cc=casey@schaufler-ca.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=torvalds@osdl.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.