SELinux network labeling

SELinux network labeling

[Langland, Blake]

[-- Attachment #1: Type: text/plain, Size: 1171 bytes --]

Hello,

I am trying to set up a system using SELinux system that needs to have certain network traffic blocked based on the MLS label. Basically, there are two machines running SELinux (call them A and B). Both machines have two processes, say A1 and B1 are at sensitivity s0, and A2 and B2 are at s1. I want to let process A1 talk to B1, and A2 talk to B2, but block A1->B2, and A2->B1. Without using labeled IPsec, what systems for network labeling should I use? With the Netlabel fallback labels I am not able to specify the port. I currently am setting the label via secmark based on the source, destination, and port, and then running each process at the appropriate level, and also have the port labeled at the appropriate level. This is not blocking the traffic I want it to.

I have been reading Paul Moore's blogs about Secmark and network labeling and am a little bit confused about packet vs. peer labeling. Are both packet and peer labeling required? If both are, am I out of luck since Netlabel can not specify a port? If only packet labeling is required, what is causing the scheme explained above to not block traffic?

Thank you,
Blake Langland


[-- Attachment #2: Type: text/html, Size: 3075 bytes --]

Re: SELinux network labeling

[Paul Moore]

On Tue, Mar 12, 2013 at 4:55 PM, Langland, Blake
<blangland@integrity-apps.com> wrote:
> Hello,

Hello.

> I am trying to set up a system using SELinux system that needs to have
> certain network traffic blocked based on the MLS label. Basically, there are
> two machines running SELinux (call them A and B). Both machines have two
> processes, say A1 and B1 are at sensitivity s0, and A2 and B2 are at s1. I
> want to let process A1 talk to B1, and A2 talk to B2, but block A1->B2, and
> A2->B1. Without using labeled IPsec, what systems for network labeling
> should I use?

Based on what you have written I think you will be best served with a
network peer labeling protocol, SELinux supports two network peer
labeling protocols: labeled IPsec and NetLabel/CIPSO.  Since you have
ruled out labeled IPsec it looks like your best choice is
NetLabel/CIPSO.

> With the Netlabel fallback labels I am not able to specify the
> port.

Yes, the NetLabel fallback labels only have granularity to the host
level.  Although even if you could specify the port I don't think it
would work the way you want it to work; for example, how would you
handle the client applications and the ephemeral ports?  If you use a
peer labeling protocol, such as NetLabel/CIPSO, then the security
label is taken directly from the security label of the sending process
(really the sending socket, but that detail likely isn't important
here) so you don't have to worry about changing network addresses
and/or ports.

> I currently am setting the label via secmark based on the source,
> destination, and port, and then running each process at the appropriate
> level, and also have the port labeled at the appropriate level. This is not
> blocking the traffic I want it to.

You didn't provide any details about your configuration so we can only
guess as to why it is not working, however, I believe you are better
served by using NetLabel/CIPSO and not secmark.  Secmark, like the
NetLabel/fallback labels relies on information from the network
headers, not the sending process, to generate the security label, as a
result it can be easy to run afoul of changes in network configuration
and often doesn't represent clients very well due to the ephemeral
port problem.

To be clear, secmark does have its uses, I'm just not sure from what
you've described that it is the best solution for what you are trying
to accomplish.

> I have been reading Paul Moore’s blogs about Secmark and network labeling
> and am a little bit confused about packet vs. peer labeling.

The short version is this: network peer labels represent the security
label of the process (socket), e.g. s0, that originally generated the
network traffic, secmark/iptables (I'm guessing this is what you meant
by "packet labels") labels represent the network attributes, e.g.
destination port, of the network traffic.  Network peer labels help
you say "I only want Top Secret clients to connect to this Top Secret
server" whereas secmark labels help you say "I only want TCP port 80
packets to connect to this server".

> Are both packet and peer labeling required?

You can use neither approach, one, or both; it is up to you.

> If only packet labeling is required, what is causing the
> scheme explained above to not block traffic?

Once again, you didn't give us much to go on, but like I said I think
NetLabel/CIPSO is the better solution.

If you can share some more information, or at least provide a simple
demo/example case, we might be able to provide a more concrete example
solution for you.

-Paul

-- 
paul moore
www.paul-moore.com


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux network labeling

[Stephen Smalley]

On 03/12/2013 04:55 PM, Langland, Blake wrote:
> Hello,
>
> I am trying to set up a system using SELinux system that needs to have
> certain network traffic blocked based on the MLS label. Basically, there
> are two machines running SELinux (call them A and B). Both machines have
> two processes, say A1 and B1 are at sensitivity s0, and A2 and B2 are at
> s1. I want to let process A1 talk to B1, and A2 talk to B2, but block
> A1->B2, and A2->B1. Without using labeled IPsec, what systems for
> network labeling should I use? With the Netlabel fallback labels I am
> not able to specify the port. I currently am setting the label via
> secmark based on the source, destination, and port, and then running
> each process at the appropriate level, and also have the port labeled at
> the appropriate level. This is not blocking the traffic I want it to.
>
> I have been reading Paul Moore’s blogs about Secmark and network
> labeling and am a little bit confused about packet vs. peer labeling.
> Are both packet and peer labeling required? If both are, am I out of
> luck since Netlabel can not specify a port? If only packet labeling is
> required, what is causing the scheme explained above to not block traffic?

secmark/packet labeling: labels based on packet attributes that are only 
passed around locally within the network stack for local access control, 
similar to iptables rules.

netlabel or labeled ipsec / peer labeling: labels derived from sender 
security context that are propagated across the network with the packet 
and can be used on the remote end for end-to-end access control.

netlabel vs labeled ipsec:  netlabel only supports passing MLS labels 
via CIPSO, no user:role:type preservation.  labeled ipsec supports 
passing the entire security context, including user:role:type.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux network labeling

[Paul Moore]

On Wednesday, March 13, 2013 09:36:39 AM Stephen Smalley wrote:
> netlabel vs labeled ipsec:  netlabel only supports passing MLS labels
> via CIPSO, no user:role:type preservation.  labeled ipsec supports
> passing the entire security context, including user:role:type.

Just one quick comment, and a word of caution, that the differences between 
CIPSO and labeled IPsec are much greater than what is described above.

>From a SELinux policy perspective Stephen does touch on the main point: CIPSO 
labeled traffic will look like system_u:object_r:netlabel_peer_t:{MLS-LABEL} 
to SELinux regardless of the user:role:type of the sender (only the "MLS-
LABEL" information is passed over the wire) while labeled IPsec will pass the 
full context over the wire.  However, stepping back just the SELinux policy 
there are other differences between the two protocols that need to be 
considered when building a full solution.

-- 
paul moore
www.paul-moore.com


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: SELinux network labeling

[Langland, Blake]

Great, thank you guys for the clarification. Unfortunately I can't explain too much more about our specific configuration, but I think I am headed down the correct path now with the netlabel/CIPSO peer labeling.

Just a general question about the CIPSO labeling: Is there anything that SELinux does to prevent an adversary from modifying the CIPSO label while on the wire? From what I can tell one would have to rely on other security measures like authentication/encryption to prevent this. I guess this may be a benefit of IPSec peer labeling since it provides authentication and encryption in addition to network labeling. The reason I ruled that out IPSec labeling is that we are using Openswan for IPSec and it is my understanding after talking with Josh Brindle that labeling is not supported in Openswan. Are there any plans to bring labeled associations to Openswan?

Blake Langland

-----Original Message-----
From: Paul Moore [mailto:paul@paul-moore.com] 
Sent: Wednesday, March 13, 2013 7:03 AM
To: Langland, Blake
Cc: Stephen Smalley; selinux@tycho.nsa.gov
Subject: Re: SELinux network labeling

On Wednesday, March 13, 2013 09:36:39 AM Stephen Smalley wrote:
> netlabel vs labeled ipsec:  netlabel only supports passing MLS labels 
> via CIPSO, no user:role:type preservation.  labeled ipsec supports 
> passing the entire security context, including user:role:type.

Just one quick comment, and a word of caution, that the differences between CIPSO and labeled IPsec are much greater than what is described above.

>From a SELinux policy perspective Stephen does touch on the main point: CIPSO labeled traffic will look like system_u:object_r:netlabel_peer_t:{MLS-LABEL}
to SELinux regardless of the user:role:type of the sender (only the "MLS- LABEL" information is passed over the wire) while labeled IPsec will pass the full context over the wire.  However, stepping back just the SELinux policy there are other differences between the two protocols that need to be considered when building a full solution.

--
paul moore
www.paul-moore.com



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux network labeling

[Stephen Smalley]

On 03/13/2013 01:29 PM, Langland, Blake wrote:
> Great, thank you guys for the clarification. Unfortunately I can't explain too much more about our specific configuration, but I think I am headed down the correct path now with the netlabel/CIPSO peer labeling.
>
> Just a general question about the CIPSO labeling: Is there anything that SELinux does to prevent an adversary from modifying the CIPSO label while on the wire? From what I can tell one would have to rely on other security measures like authentication/encryption to prevent this. I guess this may be a benefit of IPSec peer labeling since it provides authentication and encryption in addition to network labeling. The reason I ruled that out IPSec labeling is that we are using Openswan for IPSec and it is my understanding after talking with Josh Brindle that labeling is not supported in Openswan. Are there any plans to bring labeled associations to Openswan?

You can always use regular IPSEC to protect the packet (including its 
CIPSO label).  Labeled IPSEC is only required if you want to convey the 
entire security context to the peer.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux network labeling

[Paul Moore]

On Wednesday, March 13, 2013 05:29:47 PM Langland, Blake wrote:
> Great, thank you guys for the clarification. Unfortunately I can't explain
> too much more about our specific configuration, but I think I am headed
> down the correct path now with the netlabel/CIPSO peer labeling.

If you have any questions, or run into any problems, don't hesitate to ask.

> Just a general question about the CIPSO labeling: Is there anything that
> SELinux does to prevent an adversary from modifying the CIPSO label while
> on the wire? From what I can tell one would have to rely on other security
> measures like authentication/encryption to prevent this.

No, CIPSO is a labeling only protocol.  This has both its advantages as well 
as its disadvantages; one of the disadvantages is that if the network traffic 
is traversing an untrusted network you need to add an additional layer of 
protection, however, one of the advantages is that you don't need to add that 
extra layer if the network is trusted (imagine the loopback interface).

The good news is that CIPSO works just fine in conjunction with standard 
IPsec.  You can use AH and/or ESP depending on your security requirements and 
the CIPSO label (stored as an IP header option) will be protected.

> I guess this may be a benefit of IPSec peer labeling since it provides
> authentication and encryption in addition to network labeling.

Yes, that is one of the benefits of using labeled IPsec, although due to a 
lack of any standard specification for Linux's implementation of labeled IPsec 
you can only use labeled IPsec to with other Linux systems running labeled 
IPsec.  Special care also needs to be taken to ensure that the SELinux 
policies are the same (or at least have the same semantic meaning for a given 
security label) between the two labeled IPsec endpoints.

The combination of CIPSO and standard IPsec is compatible with Linux systems 
as well as other CIPSO aware/compliant systems such as Solaris TX.

Once again, there are more pros/cons between the two that you should consider 
when building your solution.

> The reason I ruled that out IPSec labeling is that we are using Openswan for
> IPSec and it is my understanding after talking with Josh Brindle that
> labeling is not supported in Openswan. Are there any plans to bring labeled
> associations to Openswan?

I haven't tested it lately but my understanding is that the version of 
Openswan shipped with RHEL6 supports labeled IPsec.  I am unsure about other 
distributions.

-- 
paul moore
www.paul-moore.com


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux network labeling

[Chad Hanson]

[-- Attachment #1: Type: text/plain, Size: 834 bytes --]

On Wed, Mar 13, 2013 at 1:55 PM, Paul Moore <paul@paul-moore.com> wrote:

> On Wednesday, March 13, 2013 05:29:47 PM Langland, Blake wrote:twork
> traffic
>
> > The reason I ruled that out IPSec labeling is that we are using Openswan
> for
> > IPSec and it is my understanding after talking with Josh Brindle that
> > labeling is not supported in Openswan. Are there any plans to bring
> labeled
> > associations to Openswan?
>
> I haven't tested it lately but my understanding is that the version of
> Openswan shipped with RHEL6 supports labeled IPsec.  I am unsure about
> other
> distributions.


Openswan supports labeling in RHEL 6, although it looks like there may have
been a policy issue which was probably resolved by RHEL 6.3 from looking at
this Red Hat Bugzilla report:
https://bugzilla.redhat.com/show_bug.cgi?id=748971

[-- Attachment #2: Type: text/html, Size: 1417 bytes --]

Re: SELinux network labeling

[Linda Knippers]

Chad Hanson wrote:
> 
> On Wed, Mar 13, 2013 at 1:55 PM, Paul Moore <paul@paul-moore.com
> <mailto:paul@paul-moore.com>> wrote:
> 
>     On Wednesday, March 13, 2013 05:29:47 PM Langland, Blake wrote:twork
>     traffic
> 
>     > The reason I ruled that out IPSec labeling is that we are using
>     Openswan for
>     > IPSec and it is my understanding after talking with Josh Brindle that
>     > labeling is not supported in Openswan. Are there any plans to
>     bring labeled
>     > associations to Openswan?
> 
>     I haven't tested it lately but my understanding is that the version of
>     Openswan shipped with RHEL6 supports labeled IPsec.  I am unsure
>     about other
>     distributions.
> 
> 
> Openswan supports labeling in RHEL 6, although it looks like there may
> have been a policy issue which was probably resolved by RHEL 6.3 from
> looking at this Red Hat Bugzilla report:
>  https://bugzilla.redhat.com/show_bug.cgi?id=748971

Openswan was used for labeled IPsec in the CC evaluation of RHEL6.2.  There were
a handful of bug fixes that landed in RHEL6.3. I don't recall that one
specifically but it doesn't surprise me.

-- ljk


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: SELinux network labeling

[Langland, Blake]

Oh, great! Does any documentation exist on how to set up Openswan labeling? I was unable to find any.

-----Original Message-----
From: Linda Knippers [mailto:linda.knippers@hp.com] 
Sent: Thursday, March 14, 2013 8:25 AM
To: Chad Hanson
Cc: Paul Moore; Langland, Blake; Stephen Smalley; selinux@tycho.nsa.gov
Subject: Re: SELinux network labeling

Chad Hanson wrote:
> 
> On Wed, Mar 13, 2013 at 1:55 PM, Paul Moore <paul@paul-moore.com 
> <mailto:paul@paul-moore.com>> wrote:
> 
>     On Wednesday, March 13, 2013 05:29:47 PM Langland, Blake wrote:twork
>     traffic
> 
>     > The reason I ruled that out IPSec labeling is that we are using
>     Openswan for
>     > IPSec and it is my understanding after talking with Josh Brindle that
>     > labeling is not supported in Openswan. Are there any plans to
>     bring labeled
>     > associations to Openswan?
> 
>     I haven't tested it lately but my understanding is that the version of
>     Openswan shipped with RHEL6 supports labeled IPsec.  I am unsure
>     about other
>     distributions.
> 
> 
> Openswan supports labeling in RHEL 6, although it looks like there may 
> have been a policy issue which was probably resolved by RHEL 6.3 from 
> looking at this Red Hat Bugzilla report:
>  https://bugzilla.redhat.com/show_bug.cgi?id=748971

Openswan was used for labeled IPsec in the CC evaluation of RHEL6.2.  There were a handful of bug fixes that landed in RHEL6.3. I don't recall that one specifically but it doesn't surprise me.

-- ljk



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux network labeling

[Linda Knippers]

On 03/14/13 11:37, Langland, Blake wrote:
> Oh, great! Does any documentation exist on how to set up Openswan labeling? I was unable to find any.

Labeled networking makes me sad.  It would be so nice if this
page was updated:
http://selinuxproject.org/page/NB_Networking

The only documentation I know of is a few pages in the evaluated
configuration guide from the RHEL6.2 evaluation.  It's in the
"cc-eal4-config-rhel62" rpm from Red Hat.

Maybe someone else will have a better pointer for you.

-- ljk

> 
> -----Original Message-----
> From: Linda Knippers [mailto:linda.knippers@hp.com] 
> Sent: Thursday, March 14, 2013 8:25 AM
> To: Chad Hanson
> Cc: Paul Moore; Langland, Blake; Stephen Smalley; selinux@tycho.nsa.gov
> Subject: Re: SELinux network labeling
> 
> Chad Hanson wrote:
>>
>> On Wed, Mar 13, 2013 at 1:55 PM, Paul Moore <paul@paul-moore.com 
>> <mailto:paul@paul-moore.com>> wrote:
>>
>>     On Wednesday, March 13, 2013 05:29:47 PM Langland, Blake wrote:twork
>>     traffic
>>
>>     > The reason I ruled that out IPSec labeling is that we are using
>>     Openswan for
>>     > IPSec and it is my understanding after talking with Josh Brindle that
>>     > labeling is not supported in Openswan. Are there any plans to
>>     bring labeled
>>     > associations to Openswan?
>>
>>     I haven't tested it lately but my understanding is that the version of
>>     Openswan shipped with RHEL6 supports labeled IPsec.  I am unsure
>>     about other
>>     distributions.
>>
>>
>> Openswan supports labeling in RHEL 6, although it looks like there may 
>> have been a policy issue which was probably resolved by RHEL 6.3 from 
>> looking at this Red Hat Bugzilla report:
>>  https://bugzilla.redhat.com/show_bug.cgi?id=748971
> 
> Openswan was used for labeled IPsec in the CC evaluation of RHEL6.2.  There were a handful of bug fixes that landed in RHEL6.3. I don't recall that one specifically but it doesn't surprise me.
> 
> -- ljk
> 
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux network labeling

[Richard Haines]

Regarding the: http://selinuxproject.org/page/NB_Networking
page. I generally update this when I publish the SELinux Notebook.

If there are any specific points you would like added or updated let me
know as try to keep up (but I didn't know openswan handled labeling until
today).

So if you (or anyone) sends me a list of pointers I'll have ago as time
permits - but not today or this week or ....

Richard

--- On Thu, 14/3/13, Linda Knippers <linda.knippers@hp.com> wrote:

> From: Linda Knippers <linda.knippers@hp.com>
> Subject: Re: SELinux network labeling
> To: "Langland, Blake" <blangland@integrity-apps.com>
> Cc: "Chad Hanson" <dahchanson@gmail.com>, "Paul Moore" <paul@paul-moore.com>, "Stephen Smalley" <sds@tycho.nsa.gov>, "selinux@tycho.nsa.gov" <selinux@tycho.nsa.gov>
> Date: Thursday, 14 March, 2013, 16:24
> On 03/14/13 11:37, Langland, Blake
> wrote:
> > Oh, great! Does any documentation exist on how to set
> up Openswan labeling? I was unable to find any.
> 
> Labeled networking makes me sad.  It would be so nice
> if this
> page was updated:
> http://selinuxproject.org/page/NB_Networking
> 
> The only documentation I know of is a few pages in the
> evaluated
> configuration guide from the RHEL6.2 evaluation.  It's
> in the
> "cc-eal4-config-rhel62" rpm from Red Hat.
> 
> Maybe someone else will have a better pointer for you.
> 
> -- ljk
> 
> > 
> > -----Original Message-----
> > From: Linda Knippers [mailto:linda.knippers@hp.com]
> 
> > Sent: Thursday, March 14, 2013 8:25 AM
> > To: Chad Hanson
> > Cc: Paul Moore; Langland, Blake; Stephen Smalley; selinux@tycho.nsa.gov
> > Subject: Re: SELinux network labeling
> > 
> > Chad Hanson wrote:
> >>
> >> On Wed, Mar 13, 2013 at 1:55 PM, Paul Moore <paul@paul-moore.com
> 
> >> <mailto:paul@paul-moore.com>>
> wrote:
> >>
> >>     On Wednesday, March 13,
> 2013 05:29:47 PM Langland, Blake wrote:twork
> >>     traffic
> >>
> >>     > The reason I ruled
> that out IPSec labeling is that we are using
> >>     Openswan for
> >>     > IPSec and it is my
> understanding after talking with Josh Brindle that
> >>     > labeling is not
> supported in Openswan. Are there any plans to
> >>     bring labeled
> >>     > associations to
> Openswan?
> >>
> >>     I haven't tested it lately
> but my understanding is that the version of
> >>     Openswan shipped with RHEL6
> supports labeled IPsec.  I am unsure
> >>     about other
> >>     distributions.
> >>
> >>
> >> Openswan supports labeling in RHEL 6, although it
> looks like there may 
> >> have been a policy issue which was probably
> resolved by RHEL 6.3 from 
> >> looking at this Red Hat Bugzilla report:
> >>  https://bugzilla.redhat.com/show_bug.cgi?id=748971
> > 
> > Openswan was used for labeled IPsec in the CC
> evaluation of RHEL6.2.  There were a handful of bug
> fixes that landed in RHEL6.3. I don't recall that one
> specifically but it doesn't surprise me.
> > 
> > -- ljk
> > 
> > 
> > 
> > --
> > This message was distributed to subscribers of the
> selinux mailing list.
> > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> > the words "unsubscribe selinux" without quotes as the
> message.
> > 
> 
> 
> --
> This message was distributed to subscribers of the selinux
> mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the
> message.
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.