From: Paul Moore <paul.moore@hp.com>
To: selinux@tycho.nsa.gov
Cc: sds@tycho.nsa.gov, cpebenito@tresys.com,
vyekkirala@TrustedCS.com, jmorris@namei.org
Subject: Q: SECMARK controls on forwarded packets
Date: Tue, 8 Jan 2008 23:30:58 -0500 [thread overview]
Message-ID: <200801082330.58907.paul.moore@hp.com> (raw)
Traditionally we have always checked a packet's secmark label against the
receiving socket and granted access based on allow rules similar to the one
below:
allow socket_t secmark_t:packet recv;
... we performed a similar check when sending packets:
allow socket_t secmark_t:packet send;
However, when we are dealing with forwarded traffic we do not have a sending
or receiving socket to compare the packet's secmark label against to perform
access control. Despite the lack of a socket, I believe we can still provide
useful access control with secmark labels by using the packet's peer label
(quick refresher, the packet's peer label is taken/derived from the original
sending socket and "attached" to the packet via NetLabel or labeled IPsec).
Since the packet's peer label conveys the same label as the sending socket,
using the packet's peer label in place of the sending socket seems to be a
natural fit.
Agree? Disagree? Other ideas?
Working under the assumption that you all agree, do you think we should stick
with the existing "packet { send recv }" permissions for forwarded traffic?
The "send" permission still makes sense to me for outgoing forwarded traffic
but the "recv" permission is all wrong since the forwarding host isn't
consuming the packet like it is with the existing "recv" permission. With
that in mind, I'd suggest adding a new permission, "forward", which is used
when checking inbound forwarded traffic.
Agree? Disagree? Other ideas?
So, in summary, here are the SECMARK permission checks applied to locally
generated or consumed traffic [this is the status quo]:
# inbound traffic
allow socket_t secmark_t:packet recv;
# outbound traffic
allow socket_t secmark_t:packet send;
... and these are the proposed SECMARK permission checks applied to forwarded
traffic as it enters and exists the forwarding-host/router:
# inbound traffic to be forwarded
allow peer_t secmark_t:packet forward;
# outbound forwarded traffic
allow peer_t secmark_t:packet send;
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2008-01-09 4:30 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-09 4:30 Paul Moore [this message]
2008-01-09 12:51 ` Q: SECMARK controls on forwarded packets Stephen Smalley
2008-01-09 13:30 ` Paul Moore
2008-01-09 13:39 ` Stephen Smalley
2008-01-09 15:36 ` Paul Moore
2008-01-09 14:04 ` James Morris
2008-01-09 20:48 ` Paul Moore
2008-01-09 23:35 ` Paul Moore
2008-01-10 15:32 ` Chad Hanson
2008-01-10 16:47 ` Paul Moore
2008-01-10 18:56 ` Joshua Brindle
2008-01-10 19:10 ` Paul Moore
2008-01-10 20:04 ` Joshua Brindle
2008-01-10 20:07 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200801082330.58907.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=cpebenito@tresys.com \
--cc=jmorris@namei.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.