From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <46D57D0B.3020005@manicmethod.com> Date: Wed, 29 Aug 2007 10:04:59 -0400 From: Joshua Brindle MIME-Version: 1.0 To: Joe Nall CC: Paul Moore , Darrel Goeddel , Venkat Yekkirala , selinux@tycho.nsa.gov, James Morris , Darrel Goeddel , Stephen Smalley , kaigai@ak.jp.nec.com, Eric Paris Subject: Re: [RFC 0/5] Static/fallback external labels for NetLabel References: <200708281151.07120.paul.moore@hp.com> <4C3962FB-2689-420B-B3E8-F07AF2A48255@nall.com> <200708281451.53650.paul.moore@hp.com> <46D47C1E.9080307@manicmethod.com> <6F2B62D9-0D4D-4F22-8659-317E9EF65743@nall.com> <46D4BAE1.8010805@manicmethod.com> <46D4EBEA.509@manicmethod.com> <46D4F1E2.4050503@manicmethod.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Joe Nall wrote: > > On Aug 28, 2007, at 11:11 PM, Joshua Brindle wrote: >>> >>> the more I think about this the less it matters. Doing labeling >>> based on node is really the exact same thing as labeling based on >>> interface aliases. >>> >>> node 192.168.1.1/24 = net_foo_t >>> node 192.168.2.1/24 = net_bar_t >>> >>> or >>> >>> eth0:1 (which is 192.168.1.1 with /24 netmask) = net_foo_t >>> eth0:2 (which is 192.168.2.1 with /24 netmask) = net_bar_t >>> >>> see, no difference :) >>> >>> So if we allow node based then alias isn't any different. also >>> netfilter lets you select on interface aliases so in some way we >>> already allow this behavior. >> >> Ok, I think my brain is still catching up on this thread. Because of >> what I said above I think we should 1) not do node based fallbacks >> and 2) not do nic alias-level fallbacks. This is the safe option (as >> already pointed out) and minimizes trust in untrustworthy things >> (eg., addresses coming from the network). > > If we install and maintain a router (in a locked box with IP admin > disabled), we are allowed to trust (label based on) the router's IP > address. If we put a single PC behind the router and NAT or route to > it specifically, we are allowed to trust the IP address of the PC > (since it is provided by the router). So there are circumstances where > the IP address of an untrustworthy OS is itself trustworthy in the > eyes of our accreditors. > eh? Except not. anything on the same lan as the router can pretend to be said router via both mac address and ip. ip is absolutely not reliable unless its going over ipsec (in which case you'd just use ipsec labeling) or the network is completely isolated (in which case you'd just use interface labeling). -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.