From: Paul Moore <paul.moore@hp.com>
To: James Morris <jmorris@namei.org>,
Venkat Yekkirala <vyekkirala@TrustedCS.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
Joshua Brindle <method@gentoo.org>,
netdev@vger.kernel.org, selinux@tycho.nsa.gov,
kmacmillan@mentalrootkit.com
Subject: Re: [PATCH 7/7] secid reconciliation-v03: Enforcement for SELinux
Date: Fri, 29 Sep 2006 15:51:22 -0400 [thread overview]
Message-ID: <451D793A.4040007@hp.com> (raw)
In-Reply-To: <Pine.LNX.4.64.0609291517170.7975@d.namei>
James Morris wrote:
> On Fri, 29 Sep 2006, Paul Moore wrote:
>
>
>>>Say that the SA is labeled "secret" and you have two FTP clients
>>>connecting to a server via xinetd on this SA. Each client additionally
>>>labels their packets via CIPSO as secret:c1 and secret:c2 respectively.
>>>xinetd launches an FTP server for each at the correct level.
>>
>>I believe Venkat can address this.
>
> Ok, I'd still really like to see a worked example of just Netlabel +
> secmark/connseckmark, to see what happens to the connection marks.
Fair enough.
> It
> seems that the connection mark should always be correct, and restored to
> the packet. In which case, what happens when a CIPSO label on an
> established {connection} ...
The following would happen, in order, in selinux_skb_flow_in() (I'm
ommitting the IPsec relevant portions of this function for clarity):
1. A NetLabel SID would be generated using the secmark as the
"base_sid"; this means that the NetLabel would be the concatenation of
the secmark's TE context and the NetLabel's MLS label. The secmark is
not yet modified.
2. The NetLabel SID would be avc checked against the secmark:
avc_has_perm(nlbl_sid,
skb->secmark,
SECCLASS_PACKET,
PACKET__FLOW_IN,
NULL)
Note that in practice this is basically just a MLS label check.
3. If the NetLabel SID != 0 the secmark would be replaced with the
NetLabel SID.
I am trying to make NetLabel behave in a similar fashion as to how
labeled IPsec works in the secid patches; I believe the above steps
acomplish this. If not please let me know and I'll make the necessary
changes.
> ... or related packet doesn't match ...
Not sure what you mean by "related packet", but if the check in step #2
fails then the packet would be dropped. The only case where I can see
this happening is that if the MLS/MCS constraints did not allow the
flow_in permission. This allows administrators to set specific MLS
labels for any iptables "object".
> ... or you get no CIPSO label (e.g. ICMP from intermediate router) ...
If there is no packet label that NetLabel recognizes and NetLabel is
configured to allow unlabeled traffic then the NetLabel SID generated in
step #1 above would be 0.
> Or, is would you be always
> overwriting secmark/connsecmark labeling, and if so, how/why are you using
> them?
I think I addressed that above.
FYI: in between emails I'm working on a patch against Venkat's secid
patches which implements this, hopefully Venkat can roll this patch into
his secid patchset so this is all committed/rejected at once.
--
paul moore
linux security @ hp
next prev parent reply other threads:[~2006-09-29 19:51 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-29 16:27 [PATCH 7/7] secid reconciliation-v03: Enforcement for SELinux Venkat Yekkirala
2006-09-29 16:31 ` Paul Moore
2006-09-29 16:50 ` James Morris
2006-09-29 17:32 ` James Morris
2006-09-29 17:50 ` Paul Moore
2006-09-29 17:43 ` Paul Moore
2006-09-29 18:41 ` James Morris
2006-09-29 19:06 ` Paul Moore
2006-09-29 19:33 ` James Morris
2006-09-29 19:51 ` Paul Moore [this message]
2006-09-29 20:04 ` James Morris
2006-09-29 20:09 ` Paul Moore
-- strict thread matches above, loose matches on Subject: below --
2006-10-01 21:30 Venkat Yekkirala
2006-09-29 22:10 Venkat Yekkirala
2006-09-29 21:54 Venkat Yekkirala
2006-09-29 18:50 Venkat Yekkirala
2006-09-29 19:13 ` Paul Moore
2006-09-29 17:27 Venkat Yekkirala
2006-09-29 17:38 ` Paul Moore
2006-09-29 16:22 Venkat Yekkirala
2006-09-29 16:17 Venkat Yekkirala
2006-09-29 16:09 Venkat Yekkirala
2006-09-29 16:13 ` Paul Moore
2006-09-29 2:33 Venkat Yekkirala
2006-09-29 3:52 ` Joshua Brindle
2006-09-29 12:59 ` Stephen Smalley
2006-09-29 14:00 ` Joshua Brindle
2006-09-29 14:28 ` Stephen Smalley
2006-09-29 14:33 ` James Morris
2006-09-29 14:39 ` Stephen Smalley
2006-09-29 16:06 ` Paul Moore
2006-09-29 16:10 ` James Morris
2006-09-29 16:15 ` Paul Moore
2006-09-29 16:39 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=451D793A.4040007@hp.com \
--to=paul.moore@hp.com \
--cc=jmorris@namei.org \
--cc=kmacmillan@mentalrootkit.com \
--cc=method@gentoo.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).