MLS over loopback interface

All of lore.kernel.org
 help / color / mirror / Atom feed

* MLS over loopback interface
@ 2013-10-10 17:12 Langland, Blake
  2013-10-10 17:21 ` Daniel J Walsh
                   ` (2 more replies)
  0 siblings, 3 replies; 7+ messages in thread
From: Langland, Blake @ 2013-10-10 17:12 UTC (permalink / raw)
  To: selinux@tycho.nsa.gov

[-- Attachment #1: Type: text/plain, Size: 523 bytes --]

All,

I have two web servers running on an SELinux machine, one running at s2 and one at s3. Both webservers have two webapps each that are attempting to communicate over the loopback interface. The communication is strictly s2 <-> s2 and s3 <-> s3. The problem I am having is setting the MLS level of the loopback interface. If I have it set below s3, the s3 webapps cannot send over the interface; If I have it set higher than s2, the s2 webapps cannot receive over the interface. Any suggestions?

Thanks,
Blake

[-- Attachment #2: Type: text/html, Size: 2343 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: MLS over loopback interface
  2013-10-10 17:12 MLS over loopback interface Langland, Blake
@ 2013-10-10 17:21 ` Daniel J Walsh
  2013-10-10 17:31 ` William Roberts
  2013-10-10 19:02 ` Stephen Smalley
  2 siblings, 0 replies; 7+ messages in thread
From: Daniel J Walsh @ 2013-10-10 17:21 UTC (permalink / raw)
  To: Langland, Blake, selinux@tycho.nsa.gov

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/10/2013 01:12 PM, Langland, Blake wrote:
> All,
> 
> 
> 
> I have two web servers running on an SELinux machine, one running at s2 and
> one at s3. Both webservers have two webapps each that are attempting to
> communicate over the loopback interface. The communication is strictly s2
> <-> s2 and s3 <-> s3. The problem I am having is setting the MLS level of
> the loopback interface. If I have it set below s3, the s3 webapps cannot
> send over the interface; If I have it set higher than s2, the s2 webapps
> cannot receive over the interface. Any suggestions?
> 
> 
> 
> Thanks,
> 
> Blake
> 
> 
> 
Can you use different IPs?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJW4iYACgkQrlYvE4MpobMc1QCaAijG8RkFSSZwQWA8wRRFCDQp
yA0AoI2G1wnsqXvFfpQWZHs9rN+HQmnC
=QCOC
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: MLS over loopback interface
  2013-10-10 17:12 MLS over loopback interface Langland, Blake
  2013-10-10 17:21 ` Daniel J Walsh
@ 2013-10-10 17:31 ` William Roberts
  2013-10-10 18:51   ` Stephen Smalley
  2013-10-10 19:02 ` Stephen Smalley
  2 siblings, 1 reply; 7+ messages in thread
From: William Roberts @ 2013-10-10 17:31 UTC (permalink / raw)
  To: Langland, Blake; +Cc: selinux@tycho.nsa.gov

[-- Attachment #1: Type: text/plain, Size: 794 bytes --]

set it as:  s2,s3 (if you can even do that not sure if it works like cats)


On Thu, Oct 10, 2013 at 1:12 PM, Langland, Blake <
blangland@integrity-apps.com> wrote:

>  All,****
>
> ** **
>
> I have two web servers running on an SELinux machine, one running at s2
> and one at s3. Both webservers have two webapps each that are attempting to
> communicate over the loopback interface. The communication is strictly s2
> <-> s2 and s3 <-> s3. The problem I am having is setting the MLS level of
> the loopback interface. If I have it set below s3, the s3 webapps cannot
> send over the interface; If I have it set higher than s2, the s2 webapps
> cannot receive over the interface. Any suggestions?****
>
> ** **
>
> Thanks,****
>
> Blake****
>
> ** **
>



-- 
Respectfully,

William C Roberts

[-- Attachment #2: Type: text/html, Size: 1451 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: MLS over loopback interface
  2013-10-10 17:31 ` William Roberts
@ 2013-10-10 18:51   ` Stephen Smalley
  0 siblings, 0 replies; 7+ messages in thread
From: Stephen Smalley @ 2013-10-10 18:51 UTC (permalink / raw)
  To: William Roberts; +Cc: Langland, Blake, selinux@tycho.nsa.gov

On 10/10/2013 01:31 PM, William Roberts wrote:
> set it as:  s2,s3 (if you can even do that not sure if it works like cats)

No, can't do that with sensitivities.

> 
> 
> On Thu, Oct 10, 2013 at 1:12 PM, Langland, Blake <
> blangland@integrity-apps.com> wrote:
> 
>>  All,****
>>
>> ** **
>>
>> I have two web servers running on an SELinux machine, one running at s2
>> and one at s3. Both webservers have two webapps each that are attempting to
>> communicate over the loopback interface. The communication is strictly s2
>> <-> s2 and s3 <-> s3. The problem I am having is setting the MLS level of
>> the loopback interface. If I have it set below s3, the s3 webapps cannot
>> send over the interface; If I have it set higher than s2, the s2 webapps
>> cannot receive over the interface. Any suggestions?****
>>
>> ** **
>>
>> Thanks,****
>>
>> Blake****
>>
>> ** **
>>
> 
> 
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: MLS over loopback interface
  2013-10-10 17:12 MLS over loopback interface Langland, Blake
  2013-10-10 17:21 ` Daniel J Walsh
  2013-10-10 17:31 ` William Roberts
@ 2013-10-10 19:02 ` Stephen Smalley
  2013-10-10 20:34   ` Langland, Blake
  2 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2013-10-10 19:02 UTC (permalink / raw)
  To: Langland, Blake; +Cc: selinux@tycho.nsa.gov

On 10/10/2013 01:12 PM, Langland, Blake wrote:
> All,
> 
> I have two web servers running on an SELinux machine, one running at s2 and one at s3. Both webservers have two webapps each that are attempting to communicate over the loopback interface. The communication is strictly s2 <-> s2 and s3 <-> s3. The problem I am having is setting the MLS level of the loopback interface. If I have it set below s3, the s3 webapps cannot send over the interface; If I have it set higher than s2, the s2 webapps cannot receive over the interface. Any suggestions?

Can you clarify exactly what avc denials you are getting?
Kernel version?
network_peer_controls enabled or disabled?

I don't see a mlstrustedobject-like exemption in the netif constraints
in refpolicy/policy/mls, so you can't just make the loopback netif type
a mlstrustedobject to exempt it.

I do however see that if you apply mls_net_write_within_range() to the
web server domains and if you put a range on the interface that covers
both levels, then it should pass the mls constraint in policy/mls.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: MLS over loopback interface
  2013-10-10 19:02 ` Stephen Smalley
@ 2013-10-10 20:34   ` Langland, Blake
  2013-10-10 20:40     ` Stephen Smalley
  0 siblings, 1 reply; 7+ messages in thread
From: Langland, Blake @ 2013-10-10 20:34 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: selinux@tycho.nsa.gov

Thanks for the replies. Here is an example of the AVC:

avc: denied { egress } for pid=2472 comm="java" saddr=192.168.25.102 src=60447 daddr=192.168.25.102 dest=8443 netif=lo scontext=user_s:user_r:user_java_t:s3 tcontext=system_u:object_r:lo_netif_t:s2 tclass=netif

(The opposite would be an ingress with user_java_t:s2 and lo_netif_t:s3)
Network peer labeling is netlabel.
Kernel Version: 2.6.32-279.el6.x86_64

I will try the suggestion of mls_net_write_within_range(), I'm still getting a hang of what uses the ranges have vs a single sensitivity.

Thanks again!
Blake

-----Original Message-----
From: Stephen Smalley [mailto:sds@tycho.nsa.gov] 
Sent: Thursday, October 10, 2013 12:03 PM
To: Langland, Blake
Cc: selinux@tycho.nsa.gov
Subject: Re: MLS over loopback interface

On 10/10/2013 01:12 PM, Langland, Blake wrote:
> All,
> 
> I have two web servers running on an SELinux machine, one running at s2 and one at s3. Both webservers have two webapps each that are attempting to communicate over the loopback interface. The communication is strictly s2 <-> s2 and s3 <-> s3. The problem I am having is setting the MLS level of the loopback interface. If I have it set below s3, the s3 webapps cannot send over the interface; If I have it set higher than s2, the s2 webapps cannot receive over the interface. Any suggestions?

Can you clarify exactly what avc denials you are getting?
Kernel version?
network_peer_controls enabled or disabled?

I don't see a mlstrustedobject-like exemption in the netif constraints in refpolicy/policy/mls, so you can't just make the loopback netif type a mlstrustedobject to exempt it.

I do however see that if you apply mls_net_write_within_range() to the web server domains and if you put a range on the interface that covers both levels, then it should pass the mls constraint in policy/mls.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: MLS over loopback interface
  2013-10-10 20:34   ` Langland, Blake
@ 2013-10-10 20:40     ` Stephen Smalley
  0 siblings, 0 replies; 7+ messages in thread
From: Stephen Smalley @ 2013-10-10 20:40 UTC (permalink / raw)
  To: Langland, Blake; +Cc: selinux@tycho.nsa.gov

On 10/10/2013 04:34 PM, Langland, Blake wrote:
> Thanks for the replies. Here is an example of the AVC:
> 
> avc: denied { egress } for pid=2472 comm="java" saddr=192.168.25.102 src=60447 daddr=192.168.25.102 dest=8443 netif=lo scontext=user_s:user_r:user_java_t:s3 tcontext=system_u:object_r:lo_netif_t:s2 tclass=netif
> 
> (The opposite would be an ingress with user_java_t:s2 and lo_netif_t:s3)
> Network peer labeling is netlabel.
> Kernel Version: 2.6.32-279.el6.x86_64
> 
> I will try the suggestion of mls_net_write_within_range(), I'm still getting a hang of what uses the ranges have vs a single sensitivity.

So, then you also need to make the interface ranged rather than
single-level, e.g. s2-s3 or s0-s15:c0.c1024 if you want it to cover
everything.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2013-10-10 20:40 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-10-10 17:12 MLS over loopback interface Langland, Blake
2013-10-10 17:21 ` Daniel J Walsh
2013-10-10 17:31 ` William Roberts
2013-10-10 18:51   ` Stephen Smalley
2013-10-10 19:02 ` Stephen Smalley
2013-10-10 20:34   ` Langland, Blake
2013-10-10 20:40     ` Stephen Smalley

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.