Speaking of networking...

Speaking of networking...

[James Morris]

Any further thoughts on how to push the secmark integration forward?

The secmark table patch should allow MAC rules to be administered 
independently, and I know there has been some demand for the new (well, 
now not so new) networking controls.


- James
-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Speaking of networking...

[Paul Moore]

On Wednesday 27 February 2008 9:01:31 am James Morris wrote:
> Any further thoughts on how to push the secmark integration forward?
>
> The secmark table patch should allow MAC rules to be administered
> independently, and I know there has been some demand for the new
> (well, now not so new) networking controls.

When I asked this question previously the one thing that came up was 
semanage integration/compatibility.  However, there didn't appear to be 
a consensus as to if that was a good idea because semanage has a rather 
simplistic view of local network controls due to the limitations of the 
legacy netif/node controls.

I'm with you in that I'd really like to see all of the distributions 
shift over to using secmark.  Beyond the normal performance improvement 
of moving to secmark, starting with 2.6.25 having both secmark and the 
new network_peer_controls capability enabled should result in a nice 
performance boost* over the legacy network controls.

* No, I don't have any numbers yet, but looking at the code should 
explain why.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Speaking of networking...

[Daniel J Walsh]

Paul Moore wrote:
> On Wednesday 27 February 2008 9:01:31 am James Morris wrote:
>   
>> Any further thoughts on how to push the secmark integration forward?
>>
>> The secmark table patch should allow MAC rules to be administered
>> independently, and I know there has been some demand for the new
>> (well, now not so new) networking controls.
>>     
>
> When I asked this question previously the one thing that came up was 
> semanage integration/compatibility.  However, there didn't appear to be 
> a consensus as to if that was a good idea because semanage has a rather 
> simplistic view of local network controls due to the limitations of the 
> legacy netif/node controls.
>
> I'm with you in that I'd really like to see all of the distributions 
> shift over to using secmark.  Beyond the normal performance improvement 
> of moving to secmark, starting with 2.6.25 having both secmark and the 
> new network_peer_controls capability enabled should result in a nice 
> performance boost* over the legacy network controls.
>
> * No, I don't have any numbers yet, but looking at the code should 
> explain why.
>
>   
I have no problem with switching to this, as long as we do NO harm.  IE 
Everything just works.
Nothing breaks when the user shuts down iptables.

It needs to be exactly compatible with what we have now. 

Permissive mode has got to work.

And it has to be before Beta 1 March 4.

It has to be easy for a user to customize.

Most users will never use it, so it better not be a headache.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Speaking of networking...

[Paul Moore]

On Wednesday 27 February 2008 10:54:02 am Daniel J Walsh wrote:
> Paul Moore wrote:
> > On Wednesday 27 February 2008 9:01:31 am James Morris wrote:
> >> Any further thoughts on how to push the secmark integration
> >> forward?
> >>
> >> The secmark table patch should allow MAC rules to be administered
> >> independently, and I know there has been some demand for the new
> >> (well, now not so new) networking controls.
> >
> > When I asked this question previously the one thing that came up
> > was semanage integration/compatibility.  However, there didn't
> > appear to be a consensus as to if that was a good idea because
> > semanage has a rather simplistic view of local network controls due
> > to the limitations of the legacy netif/node controls.
> >
> > I'm with you in that I'd really like to see all of the
> > distributions shift over to using secmark.  Beyond the normal
> > performance improvement of moving to secmark, starting with 2.6.25
> > having both secmark and the new network_peer_controls capability
> > enabled should result in a nice performance boost* over the legacy
> > network controls.
> >
> > * No, I don't have any numbers yet, but looking at the code should
> > explain why.
>
> I have no problem with switching to this, as long as we do NO harm. 
> IE Everything just works.
> Nothing breaks when the user shuts down iptables.
>
> It needs to be exactly compatible with what we have now.
>
> Permissive mode has got to work.
>
> And it has to be before Beta 1 March 4.
>
> It has to be easy for a user to customize.
>
> Most users will never use it, so it better not be a headache.

I'd like to think that at some point we can evolve the mechanisms/tools 
so that normal users can/will take advantage of these controls ... then 
again, I'm more than a little bit biased (what do you mean it's hard to 
use?!) and a tinge starry-eyed.

Back to the real world, in 2.6.25 _all_ of the "new" networking controls 
(including secmark, NetLabel, and labeled IPsec) are dynamic.  This 
means that by default there are no permission checks applied, not even 
unlabeled_t checks; you have to configure something (i.e. load the gun 
and point it at your own foot) for the controls to become active.  In a 
sense, the new additions _should_* actually make life easier for you.

* Really, I mean it this time :)

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Speaking of networking...

[James Morris]

On Wed, 27 Feb 2008, Daniel J Walsh wrote:

> I have no problem with switching to this, as long as we do NO harm.  IE
> Everything just works.
> Nothing breaks when the user shuts down iptables.
> 
> It needs to be exactly compatible with what we have now. 
> Permissive mode has got to work.
> 
> And it has to be before Beta 1 March 4.
> 
> It has to be easy for a user to customize.
> 
> Most users will never use it, so it better not be a headache.
> 

But how do we actually get it into Fedora?  Who can make the changes?


-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Speaking of networking...

[Stephen Smalley]

On Thu, 2008-02-28 at 01:01 +1100, James Morris wrote:
> Any further thoughts on how to push the secmark integration forward?
> 
> The secmark table patch should allow MAC rules to be administered 
> independently, and I know there has been some demand for the new (well, 
> now not so new) networking controls.

Has the secmark table patch gone upstream yet?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Speaking of networking...

[James Morris]

On Wed, 27 Feb 2008, Stephen Smalley wrote:

> 
> On Thu, 2008-02-28 at 01:01 +1100, James Morris wrote:
> > Any further thoughts on how to push the secmark integration forward?
> > 
> > The secmark table patch should allow MAC rules to be administered 
> > independently, and I know there has been some demand for the new (well, 
> > now not so new) networking controls.
> 
> Has the secmark table patch gone upstream yet?

Nope.  I think we need to know that it's going to be useful first.

-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Speaking of networking...

[Joshua Brindle]

James Morris wrote:
> On Wed, 27 Feb 2008, Stephen Smalley wrote:
>
>   
>> On Thu, 2008-02-28 at 01:01 +1100, James Morris wrote:
>>     
>>> Any further thoughts on how to push the secmark integration forward?
>>>
>>> The secmark table patch should allow MAC rules to be administered 
>>> independently, and I know there has been some demand for the new (well, 
>>> now not so new) networking controls.
>>>       
>> Has the secmark table patch gone upstream yet?
>>     
>
> Nope.  I think we need to know that it's going to be useful first.
>   

Thats something of a chicken/egg problem. We need a separate table so 
that we can peacefully co-exist with user rules before we can deploy it 
widely (eg., to fedora users) to determine the viability of policy 
driven secmark labeling.

On a related note CLIP has a rebuilt iptables that they should be 
including in their next release because users of CLIP are very 
interested in secmark labeling as well. This obviously will be in the 
mangle table since they are using a RHEL5 kernel but it will still be 
available.




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.