Re: SELinux network labeling

[Paul Moore <paul@paul-moore.com>]

On Wednesday, March 13, 2013 05:29:47 PM Langland, Blake wrote:
> Great, thank you guys for the clarification. Unfortunately I can't explain
> too much more about our specific configuration, but I think I am headed
> down the correct path now with the netlabel/CIPSO peer labeling.

If you have any questions, or run into any problems, don't hesitate to ask.

> Just a general question about the CIPSO labeling: Is there anything that
> SELinux does to prevent an adversary from modifying the CIPSO label while
> on the wire? From what I can tell one would have to rely on other security
> measures like authentication/encryption to prevent this.

No, CIPSO is a labeling only protocol.  This has both its advantages as well 
as its disadvantages; one of the disadvantages is that if the network traffic 
is traversing an untrusted network you need to add an additional layer of 
protection, however, one of the advantages is that you don't need to add that 
extra layer if the network is trusted (imagine the loopback interface).

The good news is that CIPSO works just fine in conjunction with standard 
IPsec.  You can use AH and/or ESP depending on your security requirements and 
the CIPSO label (stored as an IP header option) will be protected.

> I guess this may be a benefit of IPSec peer labeling since it provides
> authentication and encryption in addition to network labeling.

Yes, that is one of the benefits of using labeled IPsec, although due to a 
lack of any standard specification for Linux's implementation of labeled IPsec 
you can only use labeled IPsec to with other Linux systems running labeled 
IPsec.  Special care also needs to be taken to ensure that the SELinux 
policies are the same (or at least have the same semantic meaning for a given 
security label) between the two labeled IPsec endpoints.

The combination of CIPSO and standard IPsec is compatible with Linux systems 
as well as other CIPSO aware/compliant systems such as Solaris TX.

Once again, there are more pros/cons between the two that you should consider 
when building your solution.

> The reason I ruled that out IPSec labeling is that we are using Openswan for
> IPSec and it is my understanding after talking with Josh Brindle that
> labeling is not supported in Openswan. Are there any plans to bring labeled
> associations to Openswan?

I haven't tested it lately but my understanding is that the version of 
Openswan shipped with RHEL6 supports labeled IPsec.  I am unsure about other 
distributions.

-- 
paul moore
www.paul-moore.com


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.