Re: netlabel: UNLABELED ath9k not denying unlabeled traffic

["Justin P. Mattock" <justinmattock@gmail.com>]

Paul Moore wrote:
> On Wednesday 14 January 2009 12:18:18 am Justin P. Mattock wrote:
>   
>> When using netlabelctl on a dell laptop
>> I'm able to define the addresses that I want:
>>
>> netlabelctl unlbl add interface:wlan0 address:<radiostation>
>> label:system_u:object_r:netlabel_peer_t:s0
>> netlabelctl unlbl add interface:wlan0 address:<myaddress>
>> label:system_u:object_r:netlabel_peer_t:s0
>> netlabelctl  -p unlbl accept off
>>
>> {the above was from http://paulmoore.livejournal.com/1758.html };
>>     
>
> Hey, somebody actually reads that stuff!  I guess I'll need to be 
> careful what I write from now on :)
>
> Hi Justin, on a more serious note, if you are having problems with 
> labeled networking it's probably a good idea to CC the SELinux, LSM 
> and/or netdev lists depending on the issue as I often miss mail if it 
> is only posted to LKML.  When in doubt you can just CC me personally 
> (paul.moore@hp.com) and I'll add whatever list seems appropriate.
>
>   
>> (I'm able to listen to the radio station allowed, then if I choose
>> another station; if I haven't defined an address like the above,
>> mplayer just sits there.denying the unlabeled packet. that is until I
>> allow the address);
>>     
>
> Good, that is how it should work give the configuration shown above.
>
>   
>> The problem I have is when I do the same on my macbook pro ati
>> chipset. with the ath9k module, I'm able to listen to any station,
>> search the web etc..
>> it seems netlabelctl  -p unlbl accept off makes no difference if it's
>> on or off.
>>
>> Is this built into ath9k yet, or is there something I'm missing?
>>     
>
> That is just plain odd, there isn't really anything that is driver 
> specific.  Can you share any more details like kernel version, 
> netlabel_tools verion, distro, etc?  I don't have any ath9k hardware 
> lying around to test so I would appreciate whatever additional 
> information you can provide.
>
>   
Hey alright.(I finally got around to  trying netlabelctl out!).

The two systems I have for this are: Dell latitude x200
running ubuntu jaunty, kernel is 2.6.29-rc1.
with netlabel_tools_0.18 which was an rpm packaged
that I converted to .deb.(can't remember the repository where I grabbed 
it from);
The wireless card for the dell is a dell 1350
using bcmxx(b43-phy0); works great.

The results when using netlabelctl with the dell is nice, i.g. like I said
as soon as I issue netlabelctl unlbl accept off, those addresses not defined
are simply not allowed.(the problem with the dell is I'm not seeing
any allow rules being generated: i.g.

allow netlabel_peer_t netif_t:netif ingress;
allow netlabel_peer_t node_t:node recvfrom;
allow unlabeled_t netif_t:netif ingress;
allow unlabeled_t node_t:node recvfrom;

The next is a macbookpro ati chipset the kernel is 2.6.29-rc1
the o.s. is ubuntu jaunty, the netlabel_tools is the same as above.
the only results I see out of this is the avc's it's generating
(the allow rules above are from the macbook);
some reason the dell doesn't generate any avc's,
which makes me wonder is this a module issue.

Also I've gone through thinking, well maybe this is avc's driven,
i.g. each address once added by netlabelctl receives a certain allow rule
(like the allow rules above),
if not either no allow rule is given to it,resulting in a denial you 
can't see in dmesg,
or a denial that just won't be allowed by checkpolicy.
So after seeing if this was the case I was left with  an address defined by
netlabel(allowed) and defined the allow rules that it had created.
unfortunately after all of that I still was able to turn on another radio
station  that had  no  address  in netlabelctl's  unlbl database.(and no 
allow rule
with SELinux);
leading me to believe that the netlabel area or driver isn't working
properly. or just told to not enforce the netlabel accept off option.

As for the list, I have linux-wireless in my address book(not sure which 
is right);

regards;

Justin P. Mattock