|Main Archive Page > Month Archives > linux-kernel archives|
Tilman Baumann wrote:
> Casey Schaufler wrote:
>>> Casey Schaufler wrote:
>> If you really want to be abusive you could replace the smack_access()
>> function in security/smack/smack_access.c (of all places) with a no-op
>> returning 0 in all cases.
> I thought of that too. :)
> But i would rather like to use the thing in it's intended function
> sometime in the future.
>>> What I then to is write iptables OUTPUT chain matches which match
>>> for any of these labels and set some connection marks and firewall
>>> Which I then can use in routing rules to give different routing
>>> rules to specific processes. (Like all proxy traffic over a second
>>> DSL line)
>>> I know, it's totally crazy. But it seems to work. :)
>>> I just hope the security part of this all will not break anything.
>>> But it does not look like it would right now.
>> Smack will eventually bite you if you're not careful, but users of
>> MAC systems wouldn't be surprised by that.
> Speaking of the devil...
> This is exactly what happened to me right now. I have problems with
> _some_ https connects. The problem lies somewhere in openssl.
> I did not yet find any clue with strace.
> Is there some straight forward way to audit/debug LSM interventions?
strace is probably your best bet, as it will tell you what syscalls fail. Your current situation is most likely a case where your program running with a label "Foo" is trying to communicate with a service on a machine that doesn't talk CIPSO and hence Smack is treating all packets to and from that host with the ambient (%cat /smack/ambient) label, which is "_" unless you've changed it.
> I have probably missed something that a labeled process could not do
> as a '_' process could. Have no idea right now, but it is probably
> something stupidly simple.
A labeled system hoping to get services from an unlabeled server is the
single pain in dealing with labeled systems. Per-host labeling is in the works,
and it will help in some cases. What I really need is a way to designate an unlabeled host as safe to talk to at any label, but it will take some serious
work to come up with a scheme that makes that palatable for a labeled environment.
I know that SELinux allows for it, but the purist in me has serious doubts.
>> I don't think it's crazy,
>> I think it's a matter of using what's available in novel ways.
> I like that attitude. :)
It got me where I am today. Hmm, maybe you should be just a little bit careful. -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to firstname.lastname@example.org More majordomo info at http://vger.kernel.org/majordomo-info.html