SELinux with IPSec - something going on ?

SELinux with IPSec - something going on ?

[Rusinsky Stanislas Herman W. A.]

Hello,

after taking a look at the NSA site I wondered if any work has been made
to integrate IPSec with SELinux.

Is there any draft or specification on what has to be done exactly?

Stanislas.


-- 
One world, One web, One program -- Microsoft ad
Ein volk, Ein Reich, Ein Fuhrer -- Adolf Hitler


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux with IPSec - something going on ?

[Sead Muftic]

Stanislas:

We (in the Computer Security Institute of GWU) have activated labeling
option of IPSec and used it by SELinux at the receiving end for RBAC.
We also worked out all necessary PT specifications, so we have the first
operational version of network security system based on combination
of IPSec + SELinux.

We are currently making the second round through this development in order
to make it easily installable.

Regards,

Sead Muftic
Research Director
CSPRI/GWU

------------------------------------------------------------------------

>after taking a look at the NSA site I wondered if any work has been made
>to integrate IPSec with SELinux.
>
>Is there any draft or specification on what has to be done exactly?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux with IPSec - something going on ?

[Stephen Smalley]

On Sun, 2003-11-16 at 10:42, Rusinsky Stanislas Herman W. A. wrote:
> Hello,
> 
> after taking a look at the NSA site I wondered if any work has been made
> to integrate IPSec with SELinux.
> 
> Is there any draft or specification on what has to be done exactly?

Integration of IPSEC with Flask (a research prototype that preceded
SELinux) is described in
http://www.cs.utah.edu/flux/papers/ajay-thesis-abs.html.

We have not done any work on integrating SELinux with IPSEC yet; at this
point, such work would presumably be done based on the new Linux 2.6
IPSEC implementation.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux with IPSec - something going on ?

[Rusinsky Stanislas Herman W. A.]

[-- Attachment #1: Type: text/plain, Size: 621 bytes --]

Hello,

Thank you for your advices, I'll see if there is something I can do with
it,

regards,

Stanislas.

> Integration of IPSEC with Flask (a research prototype that preceded
> SELinux) is described in
> http://www.cs.utah.edu/flux/papers/ajay-thesis-abs.html.
> 
> We have not done any work on integrating SELinux with IPSEC yet; at this
> point, such work would presumably be done based on the new Linux 2.6
> IPSEC implementation.
-- 
###########################################

The truth is rarely pure, and never simple.
        -- Oscar Wilde

###########################################

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: SELinux with IPSec - something going on ?

[Park Lee]

[-- Attachment #1: Type: text/plain, Size: 539 bytes --]

On 2003-11-17 at 14:37 Stephen Smalley wrote:
 
>We have not done any work on integrating SELinux with IPSEC yet;
>at this point, such work would presumably be done based on the new
>Linux 2.6 IPSEC implementation.
 
Now, 11 months have passed, has any work been made to integrate IPSec with SELinux?
I also want to see if there is something I can do with it.
 
Thanks.


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 






		
---------------------------------
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.

[-- Attachment #2: Type: text/html, Size: 1022 bytes --]

Re: SELinux with IPSec - something going on ?

[Luke Kenneth Casson Leighton]

someone from ibm mentioned a few weeks back that they have been working
on IPsec.

On Sun, Oct 24, 2004 at 02:30:14AM -0700, Park Lee wrote:
> On 2003-11-17 at 14:37 Stephen Smalley wrote:
>  
> >We have not done any work on integrating SELinux with IPSEC yet;
> >at this point, such work would presumably be done based on the new
> >Linux 2.6 IPSEC implementation.
>  
> Now, 11 months have passed, has any work been made to integrate IPSec with SELinux?
> I also want to see if there is something I can do with it.
>  
> Thanks.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux with IPSec - something going on ?

[Stanislas Rusinsky]

I had to postpone my work so I ain't done much since
last year. At all events it is still on my 'wish
list'.

Stephen: in your mail to Alexis Wagner (subject: '
Re: network object',  12 Aug 2004) you say there was a
debate on implicit labeling vs. explicit labeling, has
ther been any conclusion to it ? 

Luke: The person at IBM was Trent Jaeger.

Stanislas.


	

	
		
Vous manquez d’espace pour stocker vos mails ? 
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux with IPSec - something going on ?

[Trent Jaeger]

[-- Attachment #1: Type: text/plain, Size: 1649 bytes --]

Hi,

Yes, we are working on integration of IPSec with SELinux.  Hope to have 
something for the community soon.

Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225




Stanislas Rusinsky <rusinskystanislas@yahoo.fr>
Sent by: owner-selinux@tycho.nsa.gov
10/25/2004 06:10 AM
 
        To:     Luke Kenneth Casson Leighton <lkcl@lkcl.net>
        cc:     SELinux ml <SELinux@tycho.nsa.gov>, Stephen Smalley 
<sds@epoch.ncsc.mil>, Park Lee <parklee_sel@yahoo.com>
        Subject:        Re: SELinux with IPSec - something going on ?


I had to postpone my work so I ain't done much since
last year. At all events it is still on my 'wish
list'.

Stephen: in your mail to Alexis Wagner (subject: '
Re: network object',  12 Aug 2004) you say there was a
debate on implicit labeling vs. explicit labeling, has
ther been any conclusion to it ?

Luke: The person at IBM was Trent Jaeger.

Stanislas.






Vous manquez d?espace pour stocker vos mails ?
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés 
pour dialoguer instantanément avec vos amis. A télécharger gratuitement 
sur http://fr.messenger.yahoo.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov 
with
the words "unsubscribe selinux" without quotes as the message.

[-- Attachment #2: Type: text/html, Size: 2806 bytes --]

Re: SELinux with IPSec - something going on ?

[petre rodan]

[-- Attachment #1.1: Type: text/plain, Size: 760 bytes --]


Hi,

here is a fresh ipsec-tools [1] policy made for gentoo.
works flawlessly with my setup [2] (the doc is work in progress).

[1] http://ipsec-tools.sourceforge.net/
[2] http://dev.gentoo.org/~kaiowas/doc/wifi_ipsec-howto.html

is this usable for any of you?

bye,
peter

Park Lee wrote:
> On 2003-11-17 at 14:37 Stephen Smalley wrote:
>  
>  >We have not done any work on integrating SELinux with IPSEC yet;
>  >at this point, such work would presumably be done based on the new
>  >Linux 2.6 IPSEC implementation.
>  
> Now, 11 months have passed, has any work been made to integrate IPSec 
> with SELinux?
> I also want to see if there is something I can do with it.
>  
> Thanks.
> 

--
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #1.2: racoon.fc --]
[-- Type: text/plain, Size: 458 bytes --]


/etc/ipsec\.conf	--	system_u:object_r:setkey_conf_file_t
/etc/racoon(/.*)?		system_u:object_r:racoon_conf_file_t
/etc/racoon/certs(/.*)?		system_u:object_r:racoon_key_file_t
/etc/racoon/psk\.txt	--	system_u:object_r:racoon_key_file_t

/usr/sbin/racoon	--	system_u:object_r:racoon_exec_t
/usr/sbin/setkey	--	system_u:object_r:setkey_exec_t

/var/run/pluto\.ctl	-s	system_u:object_r:racoon_var_run_t
/var/run/racoon\.pid	--	system_u:object_r:racoon_var_run_t

[-- Attachment #1.3: racoon.te --]
[-- Type: text/plain, Size: 1168 bytes --]

#DESC ipsec-tools
#
# Author: petre rodan <kaiowas@gentoo.org>


daemon_base_domain(racoon, `, privlog')

type racoon_conf_file_t, file_type, sysadmfile;
type racoon_key_file_t, file_type, sysadmfile;

var_run_domain(racoon)
read_locale(racoon_t)
can_network(racoon_t)

allow racoon_t self:capability { net_admin net_bind_service };

r_dir_file(racoon_t, racoon_conf_file_t)
r_dir_file(racoon_t, racoon_key_file_t)


daemon_domain(setkey)

type setkey_conf_file_t, file_type, sysadmfile;


define(`setkey_domain', `

uses_shlib($1_t)
read_locale($1_t)

allow $1_t self:capability { net_admin };
allow $1_t setkey_conf_file_t:file r_file_perms;

') dnl end setkey_domain


define(`setkey_userdomain', `

# derived domain based on the calling user domain
type $1_setkey_t, domain;

domain_auto_trans($1_t, setkey_exec_t, $1_setkey_t)
role $1_r types $1_setkey_t;

setkey_domain($1_setkey)

# this is why there is a setkey_userdomain :)
allow $1_setkey_t { $1_tty_device_t $1_devpts_t }:chr_file { getattr read write };
allow $1_setkey_t privfd:fd use;
') dnl end setkey_userdomain


# one for initrc
setkey_domain(setkey)

# and one for sysadm
setkey_userdomain(sysadm)

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: SELinux with IPSec - something going on ?

[Stephen Smalley]

On Mon, 2004-10-25 at 11:51, petre rodan wrote:
> Hi,
> 
> here is a fresh ipsec-tools [1] policy made for gentoo.
> works flawlessly with my setup [2] (the doc is work in progress).
> 
> [1] http://ipsec-tools.sourceforge.net/
> [2] http://dev.gentoo.org/~kaiowas/doc/wifi_ipsec-howto.html
> 
> is this usable for any of you?

Thanks for making it available.  However, just to clarify, the original
question had to do with integration of SELinux and IPSEC for the purpose
of labeling and protecting network packets in accordance with security
policy, as was done in research predecessors of SELinux (Flask and
DTOS).  Trent is doing work in that area, as he noted.  That is
independent of providing policy for IPSEC userland components (which is
also certainly useful).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux with IPSec - something going on ?

[Philip Leo]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=us-ascii, Size: 538 bytes --]

On Mon, 25 Oct 2004 at 10:59, Trent Jaeger wrote:
>Yes, we are working on integration of IPSec with SELinux.  Hope
>to have something for the community soon. 

Could you please tell us what Linux IPsec implementation you are using? Is it FreeS/WAN?
Is Fedora Core itself include an IPsec implementation? or does it use a third-party Linux IPsec implementation?


--
Best regards,
Philip Leo  <phlpleo@yahoo.com> 



				
---------------------------------
Do you Yahoo!?
 Yahoo! Mail – CNET Editors' Choice 2004.  Tell them what you think.

[-- Attachment #2: Type: text/html, Size: 868 bytes --]

Re: SELinux with IPSec - something going on ?

[Trent Jaeger]

[-- Attachment #1: Type: text/plain, Size: 1449 bytes --]

Sure.

Linux 2.6 implements IPSec via a xfrm (pronounced 'transform') subsystem 
(part of mainline kernel).

Basically, you can define 'protocols' that may transform packets upon 
receipt or prior to send.  IPSec protocols for transform packets using ah 
and esp are included in the kernel. 

We hook into the xfrm subsystem and/or use the xfrm data structures to 
leverage IPSec security associations.

Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225




Philip Leo <phlpleo@yahoo.com>
10/26/2004 11:04 AM
 
        To:     Trent Jaeger/Watson/IBM@IBMUS
        cc:     SELinux@tycho.nsa.gov, sds@epoch.ncsc.mil, lkcl@lkcl.net, 
rusinskystanislas@yahoo.fr, parklee_sel@yahoo.com
        Subject:        Re: SELinux with IPSec - something going on ?



On Mon, 25 Oct 2004 at 10:59, Trent Jaeger wrote:
>Yes, we are working on integration of IPSec with SELinux.  Hope
>to have something for the community soon. 
Could you please tell us what Linux IPsec implementation you are using? Is 
it FreeS/WAN?
Is Fedora Core itself include an IPsec implementation? or does it use a 
third-party Linux IPsec implementation?


--
Best regards,
Philip Leo  <phlpleo@yahoo.com> 


Do you Yahoo!?
Yahoo! Mail ? CNET Editors' Choice 2004.  Tell them what you think. 

[-- Attachment #2: Type: text/html, Size: 2816 bytes --]

Re: SELinux with IPSec - something going on ?

[Park Lee]

[-- Attachment #1: Type: text/plain, Size: 303 bytes --]

Hi Trent,
 
As I know that FreeS/WAN is no longer in active development. 
How about transfer to Openswan? Is it feasible?
 
Thanks,
 


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 






		
---------------------------------
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.

[-- Attachment #2: Type: text/html, Size: 747 bytes --]

Re: SELinux with IPSec - something going on ?

[Trent Jaeger]

[-- Attachment #1: Type: text/plain, Size: 841 bytes --]

As Openswan 2 uses the native IPSec implementation of the Linux kernel 
(although it can use others), my impression is that using Openswan should 
also be feasible.

Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225




Park Lee <parklee_sel@yahoo.com>
10/26/2004 01:35 PM
 
        To:     Trent Jaeger/Watson/IBM@IBMUS
        cc:     SELinux@tycho.nsa.gov
        Subject:        Re: SELinux with IPSec - something going on ?



Hi Trent,
 
As I know that FreeS/WAN is no longer in active development. 
How about transfer to Openswan? Is it feasible?
 
Thanks,
 


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 


Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish. 

[-- Attachment #2: Type: text/html, Size: 2228 bytes --]

Re: SELinux with IPSec - something going on ?

[Philip Leo]

[-- Attachment #1: Type: text/plain, Size: 584 bytes --]

On Tue, 26 Oct 2004 at 14:01, Trent Jaeger wrote:
 
>As Openswan 2 uses the native IPSec implementation of the Linux
>kernel (although it can use others), my impression is that using 
>Openswan should also be feasible. 

Since there is already a native IPSec implementation in the Linux kernel, can we use it directly? why should we still use other Linux IPsec implementations such as Openswan, FreeS/WAN,etc ?
 
Thanks



--
Best regards,
Philip Leo  <phlpleo@yahoo.com> 



		
---------------------------------
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.

[-- Attachment #2: Type: text/html, Size: 1010 bytes --]

Re: SELinux with IPSec - something going on ?

[Park Lee]

[-- Attachment #1: Type: text/plain, Size: 658 bytes --]

Hi Trent,
 
on Tue, 26 Oct 2004 at 14:01, you wrote:
>As Openswan 2 uses the native IPSec implementation of the Linux 
>kernel (although it can use others), my impression is that using 
>Openswan should also be feasible. 


In addition to Openswan, there are other IPsec userland tools such as IPsec-Tools. Then, if we use the native IPsec implementation of the Linux kernel plus IPsec-Tools, Do you think it is feasible too?
 
Thanks again.
 


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 






__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

[-- Attachment #2: Type: text/html, Size: 1288 bytes --]

Re: SELinux with IPSec - something going on ?

[Trent Jaeger]

[-- Attachment #1: Type: text/plain, Size: 1352 bytes --]

We use IPSec Tools -- right now, some modest changes in userland tools 
indicate the sid of the security association.  Maybe this can be done 
another way, like relabeling files, so perhaps no userland changes are 
necessary at all.  Different userland tools should not be a big deal.

Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225




Park Lee <parklee_sel@yahoo.com>
10/28/2004 12:40 PM
 
        To:     Trent Jaeger/Watson/IBM@IBMUS
        cc:     SELinux@tycho.nsa.gov
        Subject:        Re: SELinux with IPSec - something going on ?



Hi Trent,
 
on Tue, 26 Oct 2004 at 14:01, you wrote:

>As Openswan 2 uses the native IPSec implementation of the Linux 
>kernel (although it can use others), my impression is that using 
>Openswan should also be feasible. 
In addition to Openswan, there are other IPsec userland tools such as 
IPsec-Tools. Then, if we use the native IPsec implementation of the Linux 
kernel plus IPsec-Tools, Do you think it is feasible too?
 
Thanks again.
 


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

[-- Attachment #2: Type: text/html, Size: 2811 bytes --]

Re: SELinux with IPSec - something going on ?

[Park Lee]

[-- Attachment #1: Type: text/plain, Size: 446 bytes --]

Hi,
 
I also intend to do some work on Integrating IPSEC with network mandatory controls. I'd like to know how many parts this work may include? what these parts respectively are? and what about the workload for doing it?
 
Thanks.


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 






__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

[-- Attachment #2: Type: text/html, Size: 823 bytes --]

Re: SELinux with IPSec - something going on ?

[Trent Jaeger]

[-- Attachment #1: Type: text/plain, Size: 1175 bytes --]

Hi,

There are kernel and user-space parts, and the user-space parts may differ 
depend on infrastructure (we use ipsec-tools). 

We have submitted some kernel network control integrated with SELinux to 
Stephen and James Morris, and we are addressing comments.  Plan to revise 
soon -- then we can discuss further work.

Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225




Park Lee <parklee_sel@yahoo.com>
11/05/2004 04:04 AM
 
        To:     selinux@tycho.nsa.gov, Trent Jaeger/Watson/IBM@IBMUS
        cc: 
        Subject:        Re: SELinux with IPSec - something going on ?



Hi,
 
I also intend to do some work on Integrating IPSEC with network mandatory 
controls. I'd like to know how many parts this work may include? what 
these parts respectively are? and what about the workload for doing it?
 
Thanks.


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

[-- Attachment #2: Type: text/html, Size: 2559 bytes --]

Re: SELinux with IPSec - something going on ?

[Park Lee]

[-- Attachment #1: Type: text/plain, Size: 902 bytes --]

On Tue, 26 Oct 2004 at 11:23, Trent Jaeger wrote:
>Linux 2.6 implements IPSec via a xfrm (pronounced 'transform') 
>subsystem (part of mainline kernel). 
>Basically, you can define 'protocols' that may transform packets upon 
>receipt or prior to send.  IPSec protocols for transform packets using 
>ah and esp are included in the kernel.   
>We hook into the xfrm subsystem and/or use the xfrm data structures 
>to leverage IPSec security associations.
 
I've search 'xfrm' through google, but I wouldn't find much usefull stuff about xfrm. would you please give me some hints on where can I find more information about xfrm ( such as the descriptions of  structures or functions of xfrm, its principles, etc.)
 
Thank you very much.
 


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 






			
---------------------------------
Do you Yahoo!?
 Check out the new Yahoo! Front Page. www.yahoo.com

[-- Attachment #2: Type: text/html, Size: 1396 bytes --]

Re: SELinux with IPSec - something going on ?

[Trent Jaeger]

[-- Attachment #1: Type: text/plain, Size: 1518 bytes --]

Hi,

The xfrm code is based on the USAGI work: http://www.linux-ipv6.org/

Here is a paper on the work: 
http://hiroshi1.hongo.wide.ad.jp/hiroshi/papers/SAINT2004_kanda-ipsec.pdf

Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225




Park Lee <parklee_sel@yahoo.com>
Sent by: owner-selinux@tycho.nsa.gov
11/07/2004 01:33 PM
 
        To:     Trent Jaeger/Watson/IBM@IBMUS
        cc:     jmorris@intercode.com.au, SELinux@tycho.nsa.gov
        Subject:        Re: SELinux with IPSec - something going on ?



On Tue, 26 Oct 2004 at 11:23, Trent Jaeger wrote:
>Linux 2.6 implements IPSec via a xfrm (pronounced 'transform') 
>subsystem (part of mainline kernel). 
>Basically, you can define 'protocols' that may transform packets upon 
>receipt or prior to send.  IPSec protocols for transform packets using 
>ah and esp are included in the kernel.   
>We hook into the xfrm subsystem and/or use the xfrm data structures 
>to leverage IPSec security associations.
 
I've search 'xfrm' through google, but I wouldn't find much usefull stuff 
about xfrm. would you please give me some hints on where can I find more 
information about xfrm ( such as the descriptions of  structures or 
functions of xfrm, its principles, etc.)
 
Thank you very much.
 


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 


Do you Yahoo!?
Check out the new Yahoo! Front Page. www.yahoo.com 

[-- Attachment #2: Type: text/html, Size: 3411 bytes --]

Re: SELinux with IPSec - something going on ?

[Trent Jaeger]

[-- Attachment #1: Type: text/plain, Size: 1440 bytes --]

Also this paper from the Linux Symposium: 
http://www.finux.org/Reprints/Reprint-Miyazawa-OLS2004.pdf
Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225




Park Lee <parklee_sel@yahoo.com>
Sent by: owner-selinux@tycho.nsa.gov
11/07/2004 01:33 PM
 
        To:     Trent Jaeger/Watson/IBM@IBMUS
        cc:     jmorris@intercode.com.au, SELinux@tycho.nsa.gov
        Subject:        Re: SELinux with IPSec - something going on ?



On Tue, 26 Oct 2004 at 11:23, Trent Jaeger wrote:
>Linux 2.6 implements IPSec via a xfrm (pronounced 'transform') 
>subsystem (part of mainline kernel). 
>Basically, you can define 'protocols' that may transform packets upon 
>receipt or prior to send.  IPSec protocols for transform packets using 
>ah and esp are included in the kernel.   
>We hook into the xfrm subsystem and/or use the xfrm data structures 
>to leverage IPSec security associations.
 
I've search 'xfrm' through google, but I wouldn't find much usefull stuff 
about xfrm. would you please give me some hints on where can I find more 
information about xfrm ( such as the descriptions of  structures or 
functions of xfrm, its principles, etc.)
 
Thank you very much.
 


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 


Do you Yahoo!?
Check out the new Yahoo! Front Page. www.yahoo.com 

[-- Attachment #2: Type: text/html, Size: 3143 bytes --]

Re: SELinux with IPSec - something going on ?

[Park Lee]

[-- Attachment #1: Type: text/plain, Size: 715 bytes --]

On  Tue, 26 Oct 2004 at 11:23, Trent Jaeger wrote:
> We hook into the xfrm subsystem and/or use the xfrm data 
> structures to leverage IPSec security associations.
 
Then, what items should we add to IPsec security association? Is it still ( source socket security context, destination socket security context, packet security context ) tuple as described in IMPLEMENTING MANDATORY NETWORK SECURITY IN A POLICY-FLEXIBLE SYSTEM (http://www.cs.utah.edu/flux/papers/ajay-thesis-abs.html) .
 
Thank you.


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 






__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

[-- Attachment #2: Type: text/html, Size: 1165 bytes --]

Re: SELinux with IPSec - something going on ?

[Trent Jaeger]

[-- Attachment #1: Type: text/plain, Size: 1339 bytes --]

Hi,

Yes, this is the same idea.

We add the packet security context to the xfrm_state structure (sa) and 
authorize the socket's ability to send/receive these contexts to achieve 
the tuple.

Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225




Park Lee <parklee_sel@yahoo.com>
11/10/2004 09:45 PM
 
        To:     Trent Jaeger/Watson/IBM@IBMUS
        cc:     sds@epoch.ncsc.mil, SELinux@tycho.nsa.gov
        Subject:        Re: SELinux with IPSec - something going on ?



On  Tue, 26 Oct 2004 at 11:23, Trent Jaeger wrote:
> We hook into the xfrm subsystem and/or use the xfrm data 
> structures to leverage IPSec security associations.
 
Then, what items should we add to IPsec security association? Is it still 
( source socket security context, destination socket security context, 
packet security context ) tuple as described in IMPLEMENTING MANDATORY 
NETWORK SECURITY IN A POLICY-FLEXIBLE SYSTEM (
http://www.cs.utah.edu/flux/papers/ajay-thesis-abs.html) .
 
Thank you.


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

[-- Attachment #2: Type: text/html, Size: 2869 bytes --]

Re: SELinux with IPSec - something going on ?

[Park Lee]

[-- Attachment #1: Type: text/plain, Size: 1384 bytes --]

On Wed, 10 Nov 2004 at 22:00, Trent Jaeger wrote:
> Yes, this is the same idea. 
>
> We add the packet security context to the xfrm_state structure 
> (sa) and authorize the socket's ability to send/receive these 
> contexts to achieve the tuple. 

Thanks,
Do you only add packet security context to SA? 
 
But, On Tue, 09 Nov 2004 at 10:39, Mr. Stephen Smalley sds@epoch.ncsc.mil  wrote in the letter "Re: Issue on getting security context of socket and message " :
>  Remember that most of the LSM networking security fields and 
> hooks were rejected by the mainline kernel, so only limited
> support exists in the current SELinux and there is no message 
> labeling at all.
 
Then, Is SELinux now really support the packet security context for packet ? 
If it support, where could we store the packet security context, when it is associated with a package ? In the package itself ?   
And, as for the ( source socket security context, destination socket security context, packet security context ) tuple, we can obtain the security context of a socket via the security field of its associated inode. but how can we decide on the destination socket security context and the packet security context ?
 
Thanks a lot,


--
Best Regards,
Park Lee <parklee_sel@yahoo.com> 
 






			
---------------------------------
Do you Yahoo!?
 Check out the new Yahoo! Front Page. www.yahoo.com

[-- Attachment #2: Type: text/html, Size: 2347 bytes --]

Re: SELinux with IPSec - something going on ?

[Park Lee]

On 2004-10-25 at 15:51, petre rodan wrote:
> Hi,
> here is a fresh ipsec-tools [1] policy made for 
> gentoo. works flawlessly with my setup [2] (the doc 
> is work in progress).
> 
> [1] http://ipsec-tools.sourceforge.net/
> [2] http://dev.gentoo.org/~kaiowas/doc/wifi_ipsec-
> howto.html
>
> is this usable for any of you?

In racoon.fc, you wrote:

  ... ...
/var/run/pluto\.ctl	-s
system_u:object_r:racoon_var_run_t
  ... ...

But, when we use IPsec-Tools, it seems that there is
no such a file (i.e. /var/run/pluto.ctl). Then, Why
should we write this rule for it?

Thank you.





=====
Best Regards,
Park Lee


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Helps protect you from nasty viruses. 
http://promotions.yahoo.com/new_mail

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux with IPSec - something going on ?

[petre rodan]

[-- Attachment #1: Type: text/plain, Size: 794 bytes --]


Hi,

Park Lee wrote:
> On 2004-10-25 at 15:51, petre rodan wrote:
>
>>Hi,
>>here is a fresh ipsec-tools [1] policy made for
>>gentoo. works flawlessly with my setup [2] (the doc
>>is work in progress).
>>
>>[1] http://ipsec-tools.sourceforge.net/
>>[2] http://dev.gentoo.org/~kaiowas/doc/wifi_ipsec-
>>howto.html
>>
>>is this usable for any of you?
>
>
> In racoon.fc, you wrote:
>
>   ... ...
> /var/run/pluto\.ctl	-s
> system_u:object_r:racoon_var_run_t
>   ... ...
>
> But, when we use IPsec-Tools, it seems that there is
> no such a file (i.e. /var/run/pluto.ctl). Then, Why
> should we write this rule for it?

you are correct, that rule should be removed.
it's a leftover from the prior implementation

thanks,
peter

--
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]