From: Paul Moore <paul.moore@hp.com>
To: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Cc: netdev@vger.kernel.org, selinux@tycho.nsa.gov, eparis@redhat.com,
jmorris@namei.org, sds@tycho.nsa.gov
Subject: Re: [PATCH v4 1/2] NetLabel: secid reconciliation support
Date: Wed, 04 Oct 2006 15:52:40 -0400 [thread overview]
Message-ID: <45241108.5040303@hp.com> (raw)
In-Reply-To: <36282A1733C57546BE392885C0618592015CF961@chaos.tcs.tcs-sec.com>
Venkat Yekkirala wrote:
>>>>* XFRM present
>>>>
>>>> xfrm_sid = <full context from xfrm>
>>>> loc_sid = SECINITSID_NETMSG
>>>> nlbl_sid = SECSID_NULL/0
>>>> ext_sid = xfrm_sid
>>>> final skb->secmark = avc_ok : ext_sid ? unchanged
>
> Actually, I meant to cite the following instead of the above:
>
> * Nothing
>
> xfrm_sid = SECSID_NULL/0
> loc_sid = SECSID_NULL/0
> nlbl_sid = SECSID_NULL/0
> ext_sid = xfrm_sid
> final skb->secmark = avc_ok : ext_sid ? unchanged
Okay, thanks, I think I understand your point now. Let me try to
restate just to make sure.
Take two cases: the first being no labeling at all, the second being
only NetLabel ...
* Nothing
xfrm_sid = SECSID_NULL/0
loc_sid = SECSID_NULL/0
nlbl_sid = SECSID_NULL/0
ext_sid = xfrm_sid
final skb->secmark = avc_ok : ext_sid ? unchanged
* NetLabel
xfrm_sid = SECSID_NULL/0
loc_sid = SECSID_NULL/0
nlbl_sid = <SECINITSID_NETMSG te ctx, netlabel mls ctx>
ext_sid = nlbl_sid
final skb->secmark = avc_ok : ext_sid ? unchanged
In the "Nothing" case the final skb->secmark is set to SECSID_NULL/0;
getpeercon() should return an error. In the "NetLabel" case the final
skb->secmark is set using the TE portions of SECINITSID_NETMSG and the
MLS label of the NetLabel packet; getpeercon() will succeed.
I understand in the "NetLabel" case above you think the TE portion of
the final skb->secmark value should come from
SECSID_NULL/SECINITSID_UNLABELED/0, but do you also want getpeercon() to
return an error in the "NetLabel" case? I think that's a bad idea as it
will made it *extremely* difficult for applications to determine the MLS
label of a connection using NetLabel.
>>>>* NetLabel present
>>>>
>>>> xfrm_sid = SECSID_NULL/0
>>>> loc_sid = SECSID_NULL/0
>>>> nlbl_sid = <SECINITSID_NETMSG te ctx, netlabel mls ctx>
>>>> ext_sid = nlbl_sid
>>>> final skb->secmark = avc_ok : ext_sid ? unchanged
>>>
>>>I was referring to the differences in what getpeercon would
>>>return in the above 2 scenarios.
>>>
>>>In the xfrm case: final skb->secmark would be 0
>>
>>resulting in getpeercon
>>
>>>to return EPROTONOOPT
>>
>>In the "XFRM present" case above if the access is allowed (avc_ok is
>>true) then the final skb->secmark value is going to be set to
>>the value
>>of ext_sid which is the xfrm_sid. Any calls made to
>>getpeercon() would
>>return success with the context matching xfrm_sid.
>
>
> You are right, but I was actually referring to the "Nothing"
> case above.
>
>
>>I have a hunch we are still on different pages here ...
>>
>>
>>>In the NetLabel case: final skb->secmark would be network_t
>>
>>resulting in
>>
>>>getpeercon to return network_t
>>
>>Yep, and I understand you would like to see it as
>>unlabeled_t. I think
>>we both have valid arguments for either case and we are just
>>waiting to
>>hear from others.
>>
>>--
>>paul moore
>>linux security @ hp
>>
--
paul moore
linux security @ hp
next prev parent reply other threads:[~2006-10-04 19:52 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-04 19:37 [PATCH v4 1/2] NetLabel: secid reconciliation support Venkat Yekkirala
2006-10-04 19:52 ` Paul Moore [this message]
-- strict thread matches above, loose matches on Subject: below --
2006-10-04 19:53 Venkat Yekkirala
2006-10-04 20:08 ` Paul Moore
2006-10-04 19:02 Venkat Yekkirala
2006-10-04 19:27 ` Paul Moore
2006-10-04 19:45 ` Stephen Smalley
2006-10-04 17:09 Venkat Yekkirala
2006-10-04 16:59 Venkat Yekkirala
2006-10-04 18:45 ` Paul Moore
2006-10-04 15:46 [PATCH 0/2] [PATCH 0/2] Updated NetLabel/secid-reconciliation bits and a bugfix paul.moore
2006-10-04 15:46 ` [PATCH v4 1/2] NetLabel: secid reconciliation support paul.moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45241108.5040303@hp.com \
--to=paul.moore@hp.com \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).