* network packet context
@ 2012-08-29 13:02 Ole Kliemann
2012-08-29 14:38 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Ole Kliemann @ 2012-08-29 13:02 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 726 bytes --]
I have another one of those 'Is it normal?' questions.
To begin with my system does not label network packets in any
way, packets are not unlabeled_t, they just seem to be ignored by
LSM. There is no rule of the type 'allow X Y:packet { send recv }'
required, all domains can access the network.
When I introduce just a single iptables rule utilizing SECMARK, say
iptables -A INPUT -t security -i tun0 -j SECMARK system_u:object_r:sec_tun_t:s0
to label all packets coming in at tun0, then suddenly all traffic
on all devices gets labeled. Those which lack an iptables rule
get unlabeled_t. Suddenly all network is locked down and I need
'allow X Y:packet { send recv }' rules in the policy.
Ole
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: network packet context
2012-08-29 13:02 network packet context Ole Kliemann
@ 2012-08-29 14:38 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2012-08-29 14:38 UTC (permalink / raw)
To: Ole Kliemann; +Cc: selinux
On Wed, Aug 29, 2012 at 9:02 AM, Ole Kliemann <ole@plastictree.net> wrote:
> I have another one of those 'Is it normal?' questions.
>
> To begin with my system does not label network packets in any
> way, packets are not unlabeled_t, they just seem to be ignored by
> LSM. There is no rule of the type 'allow X Y:packet { send recv }'
> required, all domains can access the network.
>
> When I introduce just a single iptables rule utilizing SECMARK, say
>
> iptables -A INPUT -t security -i tun0 -j SECMARK system_u:object_r:sec_tun_t:s0
>
> to label all packets coming in at tun0, then suddenly all traffic
> on all devices gets labeled. Those which lack an iptables rule
> get unlabeled_t. Suddenly all network is locked down and I need
> 'allow X Y:packet { send recv }' rules in the policy.
>
> Ole
Yes, that is expected. The secmark packet are only applied if you
have defined at least one iptables secmark rule. The labeled
networking peer checks are similar; they are only applied if you
configure network labeling (NetLabel or labeled IPSEC). There was
recent discussion on list of whether this was desirable behavior (by
Chris PeBenito), and I think he has posted some patches to make this a
policy option as to whether or not the checks are always applied.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-08-29 14:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-08-29 13:02 network packet context Ole Kliemann
2012-08-29 14:38 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.