Time to remove compat_net?

Time to remove compat_net?

[Paul Moore]

Does anyone have any objections to placing the compat_net code on the 
kernel's "feature removal schedule" (I'd go for removal in 2/2008, six months 
from now)?  SECMARK can do everything that the older compat_net controls can 
do, and it does it with less overhead and a cleaner implementation.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Time to remove compat_net?

[Stephen Smalley]

On Thu, 2007-08-30 at 16:07 -0400, Paul Moore wrote:
> Does anyone have any objections to placing the compat_net code on the 
> kernel's "feature removal schedule" (I'd go for removal in 2/2008, six months 
> from now)?  SECMARK can do everything that the older compat_net controls can 
> do, and it does it with less overhead and a cleaner implementation.

I'd be happy to see it go (conditional checks considered harmful), but a
good starting point would be to get secmark turned on in Fedora (it was
still off last I looked) and verify that nothing breaks.

We also don't have any tools capable of managing secmark today; with the
legacy controls, we could labels ports and netifs via semanage.  Only
secmark userland integration to date has been the basic iptables command
line support.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Time to remove compat_net?

[Paul Moore]

On Thursday, August 30 2007 4:12:24 pm Stephen Smalley wrote:
> On Thu, 2007-08-30 at 16:07 -0400, Paul Moore wrote:
> > Does anyone have any objections to placing the compat_net code on the
> > kernel's "feature removal schedule" (I'd go for removal in 2/2008, six
> > months from now)?  SECMARK can do everything that the older compat_net
> > controls can do, and it does it with less overhead and a cleaner
> > implementation.
>
> I'd be happy to see it go (conditional checks considered harmful), but a
> good starting point would be to get secmark turned on in Fedora (it was
> still off last I looked) and verify that nothing breaks.
>
> We also don't have any tools capable of managing secmark today; with the
> legacy controls, we could labels ports and netifs via semanage.  Only
> secmark userland integration to date has been the basic iptables command
> line support.

Okay RedHat guys ... are there any plans to migrate semanage over to using the 
SECMARK controls?  If not, what do you need (besides patches to semanage) to 
make the transition?

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Time to remove compat_net?

[Karl MacMillan]

On Thu, 2007-08-30 at 16:33 -0400, Paul Moore wrote:
> On Thursday, August 30 2007 4:12:24 pm Stephen Smalley wrote:
> > On Thu, 2007-08-30 at 16:07 -0400, Paul Moore wrote:
> > > Does anyone have any objections to placing the compat_net code on the
> > > kernel's "feature removal schedule" (I'd go for removal in 2/2008, six
> > > months from now)?  SECMARK can do everything that the older compat_net
> > > controls can do, and it does it with less overhead and a cleaner
> > > implementation.
> >
> > I'd be happy to see it go (conditional checks considered harmful), but a
> > good starting point would be to get secmark turned on in Fedora (it was
> > still off last I looked) and verify that nothing breaks.
> >
> > We also don't have any tools capable of managing secmark today; with the
> > legacy controls, we could labels ports and netifs via semanage.  Only
> > secmark userland integration to date has been the basic iptables command
> > line support.
> 
> Okay RedHat guys ... are there any plans to migrate semanage over to using the 
> SECMARK controls?

I have argued in the past that making semanage handle secmark is the
wrong approach. Basically - the whole point of using secmark is that you
get the full power of iptables. If we force updates through semanage
then you either a) recreate all of iptables in semanage or b) seriously
cripple the mechanism through a restricted interface.

>   If not, what do you need (besides patches to semanage) to 
> make the transition?
> 

What more do you mean other than setting compat_net to 0?

Karl


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Time to remove compat_net?

[Joshua Brindle]

Karl MacMillan wrote:
> On Thu, 2007-08-30 at 16:33 -0400, Paul Moore wrote:
>   
>> On Thursday, August 30 2007 4:12:24 pm Stephen Smalley wrote:
>>     
>>> On Thu, 2007-08-30 at 16:07 -0400, Paul Moore wrote:
>>>       
>>>> Does anyone have any objections to placing the compat_net code on the
>>>> kernel's "feature removal schedule" (I'd go for removal in 2/2008, six
>>>> months from now)?  SECMARK can do everything that the older compat_net
>>>> controls can do, and it does it with less overhead and a cleaner
>>>> implementation.
>>>>         
>>> I'd be happy to see it go (conditional checks considered harmful), but a
>>> good starting point would be to get secmark turned on in Fedora (it was
>>> still off last I looked) and verify that nothing breaks.
>>>
>>> We also don't have any tools capable of managing secmark today; with the
>>> legacy controls, we could labels ports and netifs via semanage.  Only
>>> secmark userland integration to date has been the basic iptables command
>>> line support.
>>>       
>> Okay RedHat guys ... are there any plans to migrate semanage over to using the 
>> SECMARK controls?
>>     
>
> I have argued in the past that making semanage handle secmark is the
> wrong approach. Basically - the whole point of using secmark is that you
> get the full power of iptables. If we force updates through semanage
> then you either a) recreate all of iptables in semanage or b) seriously
> cripple the mechanism through a restricted interface.
>
>   

I completely agree with this.

>>   If not, what do you need (besides patches to semanage) to 
>> make the transition?
>>
>>     
>
> What more do you mean other than setting compat_net to 0?
>   

In the past we talked about solving some of the usability problems with 
secmark, namely that its difficult to manage the secmark rules 
separately from the normal rules without causing issues (like when 
running /etc/init.d/iptables stop makes all traffic turn unlabeled and 
stop working). One potential solution was to make a new table for 
secmark that would be managed differently, we never came to a consensus 
here though.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Time to remove compat_net?

[Paul Moore]

On Monday 03 September 2007 8:37:31 pm Joshua Brindle wrote:
> Karl MacMillan wrote:
> > On Thu, 2007-08-30 at 16:33 -0400, Paul Moore wrote:
> >> On Thursday, August 30 2007 4:12:24 pm Stephen Smalley wrote:
> >>> On Thu, 2007-08-30 at 16:07 -0400, Paul Moore wrote:
> >>>> Does anyone have any objections to placing the compat_net code on the
> >>>> kernel's "feature removal schedule" (I'd go for removal in 2/2008, six
> >>>> months from now)?  SECMARK can do everything that the older compat_net
> >>>> controls can do, and it does it with less overhead and a cleaner
> >>>> implementation.
> >>>
> >>> I'd be happy to see it go (conditional checks considered harmful), but
> >>> a good starting point would be to get secmark turned on in Fedora (it
> >>> was still off last I looked) and verify that nothing breaks.
> >>>
> >>> We also don't have any tools capable of managing secmark today; with
> >>> the legacy controls, we could labels ports and netifs via semanage. 
> >>> Only secmark userland integration to date has been the basic iptables
> >>> command line support.
> >>
> >> Okay RedHat guys ... are there any plans to migrate semanage over to
> >> using the SECMARK controls?
> >
> > I have argued in the past that making semanage handle secmark is the
> > wrong approach. Basically - the whole point of using secmark is that you
> > get the full power of iptables. If we force updates through semanage
> > then you either a) recreate all of iptables in semanage or b) seriously
> > cripple the mechanism through a restricted interface.
>
> I completely agree with this.

I agree that does sound reasonable, but isn't there a concern about 
compatibility with semanage?  Should we provide minimal SECMARK functionality 
within semanage just so we can provide compatibility?  Or is the real blocker 
what you talked about below ...

> >>   If not, what do you need (besides patches to semanage) to
> >> make the transition?
> >
> > What more do you mean other than setting compat_net to 0?
>
> In the past we talked about solving some of the usability problems with
> secmark, namely that its difficult to manage the secmark rules
> separately from the normal rules without causing issues (like when
> running /etc/init.d/iptables stop makes all traffic turn unlabeled and
> stop working). One potential solution was to make a new table for
> secmark that would be managed differently, we never came to a consensus
> here though.

Is this the only reason why SECMARK is not garnering much use in 
distributions?  I suspect a new table would be acceptable upstream and I 
don't ever remember hearing much objection to it here; from what I can recall 
the only concern was if it was necessary.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.