From: Paul Moore <paul.moore@hp.com>
To: selinux@tycho.nsa.gov, netdev@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: [RFC PATCH v3 00/13] Labeled networking patches for 2.6.28
Date: Thu, 21 Aug 2008 17:25:40 -0400 [thread overview]
Message-ID: <20080821210239.7951.59652.stgit@flek.lan> (raw)
Another update to the labeled networking patches for 2.6.28. This revision
adds some small fixes, the dead-code removal patch posted earlier, and the big
addition ... wait for it ... full LSM label/context support for local
connections. This is accomplished by creating a new, private CIPSO tag type
(allowed by the spec with a tag number > 127) which carries the LSM's secid
value, allowing full LSM contexts to be carried across local connections
without the headaches of labeled IPsec.
For those of you interested in testing this out, you will need the latest
from the netlabel_tools addrsel branch, revision 74 or higher should work.
If you enable the new local labeling you will almost certainly need to run
SELinux in permissive mode since I'm fairly certain the current policies don't
have the necessary allow rules. With that said, enabling the new local
labeling is pretty easy ...
1. Add a CIPSO DOI which uses the new local labeling tag type, note you do
not have to specify the tags
# netlabelctl cipsov4 add local doi:2
# netlabelctl -p cipsov4 list
2. Setup the default mapping to use the CIPSO DOI we just created for
localhost, keeping in mind we have to remove the existing mapping first.
Of course you don't have to use the default mapping, you can create your
own domain specific mappings.
# netlabelctl map del default
# netlabelctl -p map list
# netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
# netlabelctl map add default address:127.0.0.1 protocol:cipsov4,2
# netlabelctl -p map list
3. Enjoy!
This should be the last bit of functionality for 2.6.28, the one possible
exception being a small patch to expose the static/fallback labeling mechanism
to Smack via the NetLabel KAPI. Casey is still working on the Smack
portion of that effort and I'll only submit the NetLabel side once Smack is
ready for it. Assuming no major problems are uncovered in the next week I'll
probably add the missing sign-offs and submit this to the linux-next tree for
further exposure and testing.
Thanks.
--
paul moore
linux @ hp
next reply other threads:[~2008-08-21 21:25 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-21 21:25 Paul Moore [this message]
2008-08-21 21:25 ` [RFC PATCH v3 01/13] netlabel: Remove unneeded in-kernel API functions Paul Moore
2008-08-21 21:25 ` [RFC PATCH v3 02/13] selinux: Fix a problem in security_netlbl_sid_to_secattr() Paul Moore
2008-08-21 21:26 ` [RFC PATCH v3 03/13] selinux: Fix missing calls to netlbl_skbuff_err() Paul Moore
2008-08-21 21:26 ` [RFC PATCH v3 04/13] smack: " Paul Moore
2008-08-21 21:26 ` [RFC PATCH v3 05/13] netlabel: Replace protocol/NetLabel linking with refrerence counts Paul Moore
2008-08-21 21:26 ` [RFC PATCH v3 06/13] netlabel: Add a generic way to create ordered linked lists of network addrs Paul Moore
2008-08-21 21:26 ` [RFC PATCH v3 07/13] netlabel: Add network address selectors to the NetLabel/LSM domain mapping Paul Moore
2008-08-21 21:26 ` [RFC PATCH v3 08/13] netlabel: Add functionality to set the security attributes of a packet Paul Moore
2008-08-21 21:26 ` [RFC PATCH v3 09/13] selinux: Set socket NetLabel based on connection endpoint Paul Moore
2008-08-21 21:26 ` [RFC PATCH v3 10/13] selinux: Cache NetLabel secattrs in the socket's security struct Paul Moore
2008-08-21 21:27 ` [RFC PATCH v3 11/13] netlabel: Changes to the NetLabel security attributes to allow LSMs to pass full contexts Paul Moore
2008-08-21 21:27 ` [RFC PATCH v3 12/13] cipso: Add support for native local labeling and fixup mapping names Paul Moore
2008-08-21 21:27 ` [RFC PATCH v3 13/13] netlabel: Add configuration support for local labeling Paul Moore
2008-08-26 15:47 ` [RFC PATCH v3 00/13] Labeled networking patches for 2.6.28 Joe Nall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080821210239.7951.59652.stgit@flek.lan \
--to=paul.moore@hp.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).