From: Paul Moore <paul.moore@hp.com>
To: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Cc: netdev@vger.kernel.org, selinux@tycho.nsa.gov, jmorris@namei.org,
sds@tycho.nsa.gov
Subject: Re: [PATCH 7/7] secid reconciliation-v03: Enforcement for SELinux
Date: Fri, 29 Sep 2006 15:13:02 -0400 [thread overview]
Message-ID: <451D703E.3020500@hp.com> (raw)
In-Reply-To: <36282A1733C57546BE392885C0618592015CF32C@chaos.tcs.tcs-sec.com>
Venkat Yekkirala wrote:
>>>>While I don't see any explicit mention of it in the documentation or
>>>>your comments, I assume we would want a flow_out check for
>>>>NetLabel here
>>>>as well?
>>>
>>>
>>>I don't believe we do. By this time, the packet is or
>>
>>should already be
>>
>>>carrying the CIPSO/NetLabel option which should already be
>>
>>the right one
>>
>>>(derived from the socket or flow as appropriate), but you
>>
>>would want to
>>
>>>audit the code to make sure. IOW, the label option in the
>>
>>IP header should
>>
>>>already be reflecting the secmark on the skb. But again,
>>
>>you may want to
>>
>>>audit the code to make sure.
>>
>>In the case above I am concerned about the situation where the
>>skb->secmark == 0 and there is a IPv4 option (i.e. it is NetLabel
>>labeled) on the packet.
It's unfortunate that you cut out the code in your reply.
> Where we initialize the secmark should be immaterial from the NetLabel
> point of view. The kernel mechanisms should assure that the IP option
> reflects the MLS portion (or a label in the SA range) elsewhere.
Yep, I agree.
> In any
> case, a flow_out check doesn't make sense since the IP option and the
> secmark are (should be) mirroring each other and there's in actuality
> no "flow out" happening; they are just 2 representation of the SAME label.
Well, reading the code I see that if the secmark is zero upon entering
the function you query the XFRM subsystem to query the SA label and set
the secmark accordingly, yes? All I am suggesting is that we do the
same thing for NetLabel.
Please see the mail I sent earlier with the code in it to address James'
concerns, this has a proposed solution for the flow_out case.
> Your suggestion as to adjusting the secmark per the IP option might be
> fraught with danger since, in certain cases, I believe, you just return
> the incoming options in the outgoing packet (timewait, openreq, etc.?),
> and there's no assurance that that's a valid enough option that you can
> retrieve a sid with it, correct?
As implemented in the code snippets I sent earlier the generated
NetLabel SID would reflect the secmark as determined by the IPsec label
and the IP options on the packet. I believe this is what we want as the
resulting secmark value would directly represent the security attributes
of the packet.
--
paul moore
linux security @ hp
next prev parent reply other threads:[~2006-09-29 19:13 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-29 18:50 [PATCH 7/7] secid reconciliation-v03: Enforcement for SELinux Venkat Yekkirala
2006-09-29 19:13 ` Paul Moore [this message]
-- strict thread matches above, loose matches on Subject: below --
2006-10-01 21:30 Venkat Yekkirala
2006-09-29 22:10 Venkat Yekkirala
2006-09-29 21:54 Venkat Yekkirala
2006-09-29 17:27 Venkat Yekkirala
2006-09-29 17:38 ` Paul Moore
2006-09-29 16:27 Venkat Yekkirala
2006-09-29 16:31 ` Paul Moore
2006-09-29 16:50 ` James Morris
2006-09-29 17:32 ` James Morris
2006-09-29 17:50 ` Paul Moore
2006-09-29 17:43 ` Paul Moore
2006-09-29 18:41 ` James Morris
2006-09-29 19:06 ` Paul Moore
2006-09-29 19:33 ` James Morris
2006-09-29 19:51 ` Paul Moore
2006-09-29 20:04 ` James Morris
2006-09-29 20:09 ` Paul Moore
2006-09-29 16:22 Venkat Yekkirala
2006-09-29 16:17 Venkat Yekkirala
2006-09-29 16:09 Venkat Yekkirala
2006-09-29 16:13 ` Paul Moore
2006-09-29 2:33 Venkat Yekkirala
2006-09-29 3:52 ` Joshua Brindle
2006-09-29 12:59 ` Stephen Smalley
2006-09-29 14:00 ` Joshua Brindle
2006-09-29 14:28 ` Stephen Smalley
2006-09-29 14:33 ` James Morris
2006-09-29 14:39 ` Stephen Smalley
2006-09-29 16:06 ` Paul Moore
2006-09-29 16:10 ` James Morris
2006-09-29 16:15 ` Paul Moore
2006-09-29 16:39 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=451D703E.3020500@hp.com \
--to=paul.moore@hp.com \
--cc=jmorris@namei.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).