Re: Q: SECMARK controls on forwarded packets

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Paul Moore <paul.moore@hp.com>
To: James Morris <jmorris@namei.org>
Cc: selinux@tycho.nsa.gov, sds@tycho.nsa.gov, cpebenito@tresys.com,
	vyekkirala@TrustedCS.com
Subject: Re: Q: SECMARK controls on forwarded packets
Date: Wed, 9 Jan 2008 18:35:20 -0500	[thread overview]
Message-ID: <200801091835.20692.paul.moore@hp.com> (raw)
In-Reply-To: <200801091548.10359.paul.moore@hp.com>

On Wednesday 09 January 2008 3:48:10 pm Paul Moore wrote:
>  - inbound locally consumed traffic permissions
>
>    # is TOP_SECRET traffic allowed on this network?
>    allow peer_t netif_t:netif ingress;
>    allow peer_t node_t:node recvfrom;
>    # is apache allowed to receive traffic from firefox?
>    allow socket_t peer_t:peer recv;
>    # is apache allowed to receive web traffic?
>    allow socket_t secmark_t:packet recv;
>
>  - outbound locally generated traffic permissions
>
>    # is apache allowed to send web traffic?
>    allow socket_t secmark_t:packet send;
>    # is TOP_SECRET traffic allowed on this network?
>    allow socket_t netif_t:netif egress;
>    allow socket_t node_t:node sendto;
>
>  - inbound forwaded traffic permissions
>
>    # is TOP_SECRET traffic allowed on this network?
>    allow peer_t netif_t:netif ingress;
>    allow peer_t node_t:node recvfrom;
>    # is apache allowed to forward web traffic through this system?
>    allow peer_t secmark_t:packet forward_in;
>
>  - outbound forwarded traffic permissions
>
>    # is apache allowed to forward web traffic through this system?
>    allow peer_t secmark_t:packet forward_out;
>    # is TOP_SECRET traffic allowed on this network?
>    allow peer_t netif_t:netif egress;
>    allow peer_t node_t:node sendto;

While it doesn't have a big impact on policy, it's probably also worth 
mentioning that all of the above access checks are now dynamically 
enabled/disabled based on the presence of user configuration at 
runtime.  What this means is that if you have not configured NetLabel, 
labeled IPsec, or SECMARK all of the checks above will be skipped which 
should result in significantly less per-packet overhead in most cases.

For those of you who only make use of some of the labeled networking 
functionality, as you configure the system to use the labeled 
networking features you want, the relevant access checks are 
automatically enabled by the kernel.  For example, if you only have 
SECMARK configured you will only hit the following access checks:

 - inbound locally consumed traffic permissions

   allow socket_t secmark_t:packet recv;

 - outbound locally generated traffic permissions
   
   allow socket_t secmark_t:packet send;

 - inbound forwaded traffic permissions

   allow unlabeled_t secmark_t:packet forward_in;

 - outbound forwarded traffic permissions

   allow unlabeled_t secmark_t:packet forward_out;

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2008-01-09 23:35 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-01-09  4:30 Q: SECMARK controls on forwarded packets Paul Moore
2008-01-09 12:51 ` Stephen Smalley
2008-01-09 13:30   ` Paul Moore
2008-01-09 13:39     ` Stephen Smalley
2008-01-09 15:36       ` Paul Moore
2008-01-09 14:04 ` James Morris
2008-01-09 20:48   ` Paul Moore
2008-01-09 23:35     ` Paul Moore [this message]
2008-01-10 15:32     ` Chad Hanson
2008-01-10 16:47       ` Paul Moore
2008-01-10 18:56         ` Joshua Brindle
2008-01-10 19:10           ` Paul Moore
2008-01-10 20:04             ` Joshua Brindle
2008-01-10 20:07               ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200801091835.20692.paul.moore@hp.com \
    --to=paul.moore@hp.com \
    --cc=cpebenito@tresys.com \
    --cc=jmorris@namei.org \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    --cc=vyekkirala@TrustedCS.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.