From: Paul Moore <paul.moore@hp.com>
To: "Justin P. Mattock" <justinmattock@gmail.com>
Cc: linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org,
"SE-Linux" <selinux@tycho.nsa.gov>
Subject: Re: netlabel: UNLABELED ath9k not denying unlabeled traffic
Date: Thu, 15 Jan 2009 12:45:05 -0500 [thread overview]
Message-ID: <200901151245.05494.paul.moore@hp.com> (raw)
In-Reply-To: <496E974E.1040806@gmail.com>
On Wednesday 14 January 2009 8:54:22 pm Justin P. Mattock wrote:
> Paul Moore wrote:
> apologize for the slow response
> (had to do some external activities);
No problem, I've got a day job too :)
> > NOTE: the domain mapping configuration only controls how outbound
> > network traffic is labeled on-the-wire; it "maps" the
> > LSM/SELinux "domains" to a specific labeling protocol
> > configuration, e.g. all apache_t traffic should be labeled with
> > CIPSO DOI 3 while all firefox_t traffic should not be labeled at
> > all.
...
> > I think what you mean to type is the following:
> >
> > # netlabelctl unlbl add interface:wlan0 address:<radioadd> \
> > label:system_u:object_r:netlabel_peer_t:s0
> >
> > ... note there is no "domain" argument, that only exists
> > for "netlabelctl map ..." commands.
> >
> > NOTE: if you really want to get fancy you can create new SELinux
> > domains for each type of media and add NetLabel configurations for
> > those new domains. Imagine you create a new "internet_radio_t"
> > domain/type and only allow the "netplayer_t" domain (yeah, I made
> > that up but you get the point) access to network traffic labeled
> > with internet_radio_t. You would then use the following command to
> > label your incoming traffic with NetLabel:
> >
> > # netlabelctl unlbl add interface:wlan0 address:<radioadd> \
> > label:system_u:object_r:internet_radio_t:s0
> >
> > NOTE: you can also skip the "interface:wlan0" argument and just
> > use "default" instead if you want the configuration to apply to all
> > your network interfaces; although bear in mind that the "default"
> > configuration can be overridden by the interface specific
> > configurations.
>
> Alright, I thought you could use the map option for unlbl.
Yes, you can use configure the LSM/SELinux domain mapping to send
unlabeled/"unlbl" packets (the default configuration maps all outbound
traffic to "unlbl") but since you only really care about inbound
traffic you can ignore the "map" option.
--
paul moore
linux @ hp
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <paul.moore@hp.com>
To: "Justin P. Mattock" <justinmattock@gmail.com>
Cc: linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org,
"SE-Linux" <selinux@tycho.nsa.gov>
Subject: Re: netlabel: UNLABELED ath9k not denying unlabeled traffic
Date: Thu, 15 Jan 2009 12:45:05 -0500 [thread overview]
Message-ID: <200901151245.05494.paul.moore@hp.com> (raw)
In-Reply-To: <496E974E.1040806@gmail.com>
On Wednesday 14 January 2009 8:54:22 pm Justin P. Mattock wrote:
> Paul Moore wrote:
> apologize for the slow response
> (had to do some external activities);
No problem, I've got a day job too :)
> > NOTE: the domain mapping configuration only controls how outbound
> > network traffic is labeled on-the-wire; it "maps" the
> > LSM/SELinux "domains" to a specific labeling protocol
> > configuration, e.g. all apache_t traffic should be labeled with
> > CIPSO DOI 3 while all firefox_t traffic should not be labeled at
> > all.
...
> > I think what you mean to type is the following:
> >
> > # netlabelctl unlbl add interface:wlan0 address:<radioadd> \
> > label:system_u:object_r:netlabel_peer_t:s0
> >
> > ... note there is no "domain" argument, that only exists
> > for "netlabelctl map ..." commands.
> >
> > NOTE: if you really want to get fancy you can create new SELinux
> > domains for each type of media and add NetLabel configurations for
> > those new domains. Imagine you create a new "internet_radio_t"
> > domain/type and only allow the "netplayer_t" domain (yeah, I made
> > that up but you get the point) access to network traffic labeled
> > with internet_radio_t. You would then use the following command to
> > label your incoming traffic with NetLabel:
> >
> > # netlabelctl unlbl add interface:wlan0 address:<radioadd> \
> > label:system_u:object_r:internet_radio_t:s0
> >
> > NOTE: you can also skip the "interface:wlan0" argument and just
> > use "default" instead if you want the configuration to apply to all
> > your network interfaces; although bear in mind that the "default"
> > configuration can be overridden by the interface specific
> > configurations.
>
> Alright, I thought you could use the map option for unlbl.
Yes, you can use configure the LSM/SELinux domain mapping to send
unlabeled/"unlbl" packets (the default configuration maps all outbound
traffic to "unlbl") but since you only really care about inbound
traffic you can ignore the "map" option.
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2009-01-15 17:45 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-14 5:18 netlabel: UNLABELED ath9k not denying unlabeled traffic Justin P. Mattock
2009-01-14 14:57 ` Paul Moore
2009-01-14 16:15 ` Justin P. Mattock
2009-01-14 16:15 ` Justin P. Mattock
2009-01-14 17:05 ` Paul Moore
2009-01-14 17:05 ` Paul Moore
2009-01-14 17:24 ` Stephen Smalley
2009-01-14 17:43 ` Paul Moore
2009-01-18 16:17 ` Eric Paris
2009-01-18 19:37 ` Justin P. Mattock
2009-01-14 17:32 ` Justin P. Mattock
2009-01-14 17:32 ` Justin P. Mattock
2009-01-14 20:04 ` Paul Moore
2009-01-14 20:04 ` Paul Moore
2009-01-14 20:08 ` Paul Moore
2009-01-14 20:08 ` Paul Moore
2009-01-14 21:35 ` Justin P. Mattock
2009-01-14 21:35 ` Justin P. Mattock
2009-01-14 22:36 ` Paul Moore
2009-01-14 22:36 ` Paul Moore
2009-01-15 1:54 ` Justin P. Mattock
2009-01-15 1:54 ` Justin P. Mattock
2009-01-15 17:45 ` Paul Moore [this message]
2009-01-15 17:45 ` Paul Moore
2009-01-15 2:43 ` Justin P. Mattock
2009-01-15 2:43 ` Justin P. Mattock
2009-01-15 17:46 ` Paul Moore
2009-01-15 17:46 ` Paul Moore
2009-01-15 22:00 ` Justin Mattock
2009-01-15 22:00 ` Justin Mattock
2009-01-15 22:52 ` Paul Moore
2009-01-15 22:52 ` Paul Moore
2009-01-16 0:44 ` Justin Mattock
2009-01-16 0:44 ` Justin Mattock
2009-01-16 16:09 ` Paul Moore
2009-01-16 16:09 ` Paul Moore
2009-01-16 17:18 ` Justin P. Mattock
2009-01-16 17:18 ` Justin P. Mattock
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200901151245.05494.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=justinmattock@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.