Netlabel

Netlabel

[Christophe Hauser]

Hi all,

is anyone here familiar with Netlabel ? I am trying to label network packets
using CIPSO tags from a LSM module. Rather than using the Netlink interface to
configure Netlabel from userspace, I try to setup everything from kernelspace.
The way I initialize netlabel is similar to what smack does in smk_cipso_doi()
(security/smack/smackfs.c).

What I am trying to do is the following :
- no packet should ever get dropped
- unlabeled packets can stay unlabeled, I don't need to assign them any DOI
- labeled packets carry information that is only useful to my LSM module
  (bitmaps)

Now, everytime I label a socket, packets get dropped. I read in the RFC about
configuration settings such as HOST_LABEL_MAX and so on, but as far as I
understand, it is up to the module itself to make such verifications. Is
netlabel enforcing any sort of policy here ? Is there anyway I can configure
netlabel to never drop packets ?

Kind regards,
-- 
Christophe

NetLabel

[Justin Mattock]

Hello; Hopefully this is the right list to post this question,
after looking at  NetLabel, in dmesg I couldn't help but see:
[    0.570655] NetLabel: Initializing
[    0.570660] NetLabel:  domain hash size = 128
[    0.570663] NetLabel:  protocols = UNLABELED CIPSOv4
[    0.570730] NetLabel:  unlabeled traffic allowed by default

"unlabeled traffic allowed by default."
is this similar to selinux (handle_unkown=deny, if so is there an
option to change this to "unlabeled traffic deny."
Also is there a location for this in the kernel i.g. /proc/sys/net/*
regards;
-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: NetLabel

[Paul Moore]

On Wednesday 04 June 2008 2:55:15 am Justin Mattock wrote:
> Hello; Hopefully this is the right list to post this question,
> after looking at  NetLabel, in dmesg I couldn't help but see:
> [    0.570655] NetLabel: Initializing
> [    0.570660] NetLabel:  domain hash size = 128
> [    0.570663] NetLabel:  protocols = UNLABELED CIPSOv4
> [    0.570730] NetLabel:  unlabeled traffic allowed by default
>
> "unlabeled traffic allowed by default."
> is this similar to selinux (handle_unkown=deny, if so is there an
> option to change this to "unlabeled traffic deny."

Nope, the two are completely unrelated.  By default, NetLabel allows 
unlabeled traffic to pass (meaning the netlbl_skbuff_getattr() function 
returns an empty secattr and no error, the LSM does the actual packet 
pass/drop) so as to keep networking working for the majority of users 
who do not configure NetLabel.  If you were to disable unlabeled 
traffic using NetLabel only CIPSO and static/fallback (using 2.6.25 or 
greater) labeled traffic would be allowed into the system.

Unless you really know what you are doing I wouldn't mess with this 
setting.

> Also is there a location for this in the kernel i.g. /proc/sys/net/*
> regards;

There are some sysctl variables which offer control of the 
NetLabel/CIPSO functionality they do no toggle the unlabeled allow/deny 
behavior, for that you need the netlabel_tools package, specifically 
netlabelctl.

 * http://netlabel.sf.net

-- 
paul moore
linux @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: NetLabel

[Justin Mattock]

On Wed, Jun 4, 2008 at 2:31 PM, Paul Moore <paul.moore@hp.com> wrote:
> On Wednesday 04 June 2008 2:55:15 am Justin Mattock wrote:
>> Hello; Hopefully this is the right list to post this question,
>> after looking at  NetLabel, in dmesg I couldn't help but see:
>> [    0.570655] NetLabel: Initializing
>> [    0.570660] NetLabel:  domain hash size = 128
>> [    0.570663] NetLabel:  protocols = UNLABELED CIPSOv4
>> [    0.570730] NetLabel:  unlabeled traffic allowed by default
>>
>> "unlabeled traffic allowed by default."
>> is this similar to selinux (handle_unkown=deny, if so is there an
>> option to change this to "unlabeled traffic deny."
>
> Nope, the two are completely unrelated.  By default, NetLabel allows
> unlabeled traffic to pass (meaning the netlbl_skbuff_getattr() function
> returns an empty secattr and no error, the LSM does the actual packet
> pass/drop) so as to keep networking working for the majority of users
> who do not configure NetLabel.  If you were to disable unlabeled
> traffic using NetLabel only CIPSO and static/fallback (using 2.6.25 or
> greater) labeled traffic would be allowed into the system.
>
> Unless you really know what you are doing I wouldn't mess with this
> setting.
>
>> Also is there a location for this in the kernel i.g. /proc/sys/net/*
>> regards;
>
> There are some sysctl variables which offer control of the
> NetLabel/CIPSO functionality they do no toggle the unlabeled allow/deny
> behavior, for that you need the netlabel_tools package, specifically
> netlabelctl.
>
>  * http://netlabel.sf.net
>
> --
> paul moore
> linux @ hp
>

I'm going to answer honestly I don't know what I'm doing, so with that
in mind maybe I should just leave this for now,
I did have a look at the netlabel_tools package, but like what I said
in the first sentence, I need to really study this
before venturing into this, (that way I'm not stuck with no internet.)
regards;


-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: NetLabel

[Paul Moore]

On Wednesday 04 June 2008 3:05:08 pm Justin Mattock wrote:
> On Wed, Jun 4, 2008 at 2:31 PM, Paul Moore <paul.moore@hp.com> wrote:
> > On Wednesday 04 June 2008 2:55:15 am Justin Mattock wrote:
> >> Hello; Hopefully this is the right list to post this question,
> >> after looking at  NetLabel, in dmesg I couldn't help but see:
> >> [    0.570655] NetLabel: Initializing
> >> [    0.570660] NetLabel:  domain hash size = 128
> >> [    0.570663] NetLabel:  protocols = UNLABELED CIPSOv4
> >> [    0.570730] NetLabel:  unlabeled traffic allowed by default
> >>
> >> "unlabeled traffic allowed by default."
> >> is this similar to selinux (handle_unkown=deny, if so is there an
> >> option to change this to "unlabeled traffic deny."
> >
> > Nope, the two are completely unrelated.  By default, NetLabel
> > allows unlabeled traffic to pass (meaning the
> > netlbl_skbuff_getattr() function returns an empty secattr and no
> > error, the LSM does the actual packet pass/drop) so as to keep
> > networking working for the majority of users who do not configure
> > NetLabel.  If you were to disable unlabeled traffic using NetLabel
> > only CIPSO and static/fallback (using 2.6.25 or greater) labeled
> > traffic would be allowed into the system.
> >
> > Unless you really know what you are doing I wouldn't mess with this
> > setting.
> >
> >> Also is there a location for this in the kernel i.g.
> >> /proc/sys/net/* regards;
> >
> > There are some sysctl variables which offer control of the
> > NetLabel/CIPSO functionality they do no toggle the unlabeled
> > allow/deny behavior, for that you need the netlabel_tools package,
> > specifically netlabelctl.
> >
> >  * http://netlabel.sf.net
>
> I'm going to answer honestly I don't know what I'm doing, so with
> that in mind maybe I should just leave this for now,
> I did have a look at the netlabel_tools package, but like what I said
> in the first sentence, I need to really study this
> before venturing into this, (that way I'm not stuck with no
> internet.) regards;

Sound like a good plan.  I wish I had some decent documentation to pass 
along but I haven't had a chance to write anything up so far ... 
regardless, if you have any questions don't hesitate to ask.

Good luck.

-- 
paul moore
linux @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: NetLabel

[Justin Mattock]

On Wed, Jun 4, 2008 at 7:14 PM, Paul Moore <paul.moore@hp.com> wrote:
> On Wednesday 04 June 2008 3:05:08 pm Justin Mattock wrote:
>> On Wed, Jun 4, 2008 at 2:31 PM, Paul Moore <paul.moore@hp.com> wrote:
>> > On Wednesday 04 June 2008 2:55:15 am Justin Mattock wrote:
>> >> Hello; Hopefully this is the right list to post this question,
>> >> after looking at  NetLabel, in dmesg I couldn't help but see:
>> >> [    0.570655] NetLabel: Initializing
>> >> [    0.570660] NetLabel:  domain hash size = 128
>> >> [    0.570663] NetLabel:  protocols = UNLABELED CIPSOv4
>> >> [    0.570730] NetLabel:  unlabeled traffic allowed by default
>> >>
>> >> "unlabeled traffic allowed by default."
>> >> is this similar to selinux (handle_unkown=deny, if so is there an
>> >> option to change this to "unlabeled traffic deny."
>> >
>> > Nope, the two are completely unrelated.  By default, NetLabel
>> > allows unlabeled traffic to pass (meaning the
>> > netlbl_skbuff_getattr() function returns an empty secattr and no
>> > error, the LSM does the actual packet pass/drop) so as to keep
>> > networking working for the majority of users who do not configure
>> > NetLabel.  If you were to disable unlabeled traffic using NetLabel
>> > only CIPSO and static/fallback (using 2.6.25 or greater) labeled
>> > traffic would be allowed into the system.
>> >
>> > Unless you really know what you are doing I wouldn't mess with this
>> > setting.
>> >
>> >> Also is there a location for this in the kernel i.g.
>> >> /proc/sys/net/* regards;
>> >
>> > There are some sysctl variables which offer control of the
>> > NetLabel/CIPSO functionality they do no toggle the unlabeled
>> > allow/deny behavior, for that you need the netlabel_tools package,
>> > specifically netlabelctl.
>> >
>> >  * http://netlabel.sf.net
>>
>> I'm going to answer honestly I don't know what I'm doing, so with
>> that in mind maybe I should just leave this for now,
>> I did have a look at the netlabel_tools package, but like what I said
>> in the first sentence, I need to really study this
>> before venturing into this, (that way I'm not stuck with no
>> internet.) regards;
>
> Sound like a good plan.  I wish I had some decent documentation to pass
> along but I haven't had a chance to write anything up so far ...
> regardless, if you have any questions don't hesitate to ask.
>
> Good luck.
>
> --
> paul moore
> linux @ hp
>

Cool thanks for the response and help. I think overall, I'm just
trying to make sure /etc/sysctl.conf is in good condition so my tcp
is not vulnerable to any kind of spoofing action.
regards;

-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.