Re: Brindle example of labeled IPSec

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Joshua Brindle <method@manicmethod.com>
To: "Clarkson, Mike R \(US SSA\)" <mike.clarkson@baesystems.com>
Cc: Paul Moore <paul.moore@hp.com>, selinux@tycho.nsa.gov
Subject: Re: Brindle example of labeled IPSec
Date: Fri, 15 Feb 2008 20:38:06 -0500	[thread overview]
Message-ID: <47B63E7E.4000000@manicmethod.com> (raw)
In-Reply-To: <FB39F4E77226B448BC1388D3BE4E00CD02AF9774@blums0008.bluelnk.net>

Clarkson, Mike R (US SSA) wrote:
>   
>>>> As for the recvfrom part, in your policy you have:
>>>>
>>>> corenet_non_ipsec_sendrecv(brindle_client_t)
>>>>
>>>>
>>>> this interface allows a domain to receive from unlabeled ipsec
>>>> connections, which means it will work regardless of associations
>>>>         
> being
>   
>>>> present, be sure to remove interfaces like this before testing in
>>>> enforcing.
>>>>
>>>>
>>>>
>>>>
>>>>         
>>> True that the non_ipsec interface will allow the client and server
>>>       
> to
>   
>>> communicate, but it wouldn't be a labeled communication, which means
>>>       
> the
>   
>>> output of the client and server should look like this:
>>>
>>> [mr_clarkson@blade5 test]$ ./brindle_server
>>> getsockopt: Protocol not available
>>> server: got connection from 127.0.0.1, (null)
>>>
>>> [mr_clarkson@blade5 test]$ ./brindle_client 127.0.0.1
>>> getpeercon: Protocol not available
>>> Received: Hello, (null) from (null)
>>>
>>> I know that it is sending the packets over the labeled IPSec
>>>       
> loopback,
>   
>>> because it stops working when I remove the SPDs using "setkey -FP"
>>>
>>> In any case, it quits working when I replace
>>> corenet_non_ipsec_sendrecv(brindle_client_t) with
>>> ipsec_labeled(brindle_client_t) and do likewise for the server. And
>>>       
> I
>   
>>> get the following from audit2allow:
>>>
>>> #============= brindle_client_t ==============
>>> # src="brindle_client_t" tgt="unlabeled_t" class="packet",
>>>       
> perms="send"
>   
>>> # comm="brindle_client" exe="" path=""
>>> allow brindle_client_t unlabeled_t:packet send;
>>>
>>> Is there something else that I need to provide?
>>>
>>>
>>>       
>> I think corenet_sendrecv_unlabeled_packets()
>>
>>     
>
> That's the same as corenet_non_ipsec_sendrecv(). They both just call
> kernel_sendrecv_unlabeled_packets().
>   

perhaps just call kernel_sendrecv_unlabeled_packets then?



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2008-02-16  1:38 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-02-15 20:15 Brindle example of labeled IPSec Clarkson, Mike R (US SSA)
2008-02-15 21:40 ` Paul Moore
2008-02-15 23:25   ` Clarkson, Mike R (US SSA)
2008-02-15 23:42     ` Paul Moore
2008-02-15 23:47       ` Clarkson, Mike R (US SSA)
2008-02-15 23:50       ` Clarkson, Mike R (US SSA)
2008-02-16  0:26     ` Joshua Brindle
2008-02-16  1:11       ` Clarkson, Mike R (US SSA)
2008-02-16  1:19         ` Joshua Brindle
2008-02-16  1:28           ` Clarkson, Mike R (US SSA)
2008-02-16  1:38             ` Joshua Brindle [this message]
  -- strict thread matches above, loose matches on Subject: below --
2008-02-16  0:27 Joy Latten
2008-02-16  1:20 ` Clarkson, Mike R (US SSA)
2008-02-16  1:40 Joy Latten
2008-02-16  1:48 ` Clarkson, Mike R (US SSA)
2008-02-16  2:00 ` Clarkson, Mike R (US SSA)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=47B63E7E.4000000@manicmethod.com \
    --to=method@manicmethod.com \
    --cc=mike.clarkson@baesystems.com \
    --cc=paul.moore@hp.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.