selinux November 2007 archive
Main Archive Page > Month Archives  > selinux archives
selinux: [RFC PATCH v6 00/13] Labeled networking patches

[RFC PATCH v6 00/13] Labeled networking patches

From: Paul Moore <paul.moore_at_nospam>
Date: Fri Nov 09 2007 - 21:23:44 GMT
To: selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org


This is an update to the patcheset sent earlier this week and the first time these patches have been sent to the LSM list. The most notable change between this patchset and the "v5" patches is the addition of the fallback/static label patches that were discussed on the SELinux list a few months ago. In addition to just porting the old fallback/static patches I've added the concept of a "default" interface as well as some intelligence in the SELinux layer to allow the NetLabel provided fallback label to play nicely with XFRM labels when both are present on a connection. This should help address issues found in the earlier versions of the fallback/static label patches. This patchset does not include Venkat's flow control patches, but Venkat has promised that they will be ready very soon; when they are I will merge them into this patchset. On a similar note, the new "peer" SELinux object class in this patchset isn't usable with currently released SELinux policies so you'll still be using the separate, labeling protocol specific, access checks.

I have to caution against using these patches for anything critical as they are still a "work in progress" and have only received minimal testing. However, I know there are a few of you who are very interested in this functionality and have offered to help with the testing so I'm posting the patches in this early state so we can get a jump shaking the bugs out. For those of you who are playing with these patches, there are a few things worth noting:

To configure the new fallback/static labels you use the following netlabelctl commands:

  • Add a label "netlabelctl unlbl add default|interface:<DEV> address:<ADDR>[/<MASK>] \ label:<LABEL>" DEV = interface ADDR = IP address MASK = size of address mask LABEL = full SELinux context
Examples:
# netlabelctl unlbl add default address:10.0.0.0/8 \
label:system_u:object_r:unlabeled_t:s0
# netlabelctl unlbl add interface:eth0 address:192.168.0.1 \
label:system_u:object_r:unlabeled_t:s0
# netlabelctl unlbl add interface:lo address:::1 \
label:system_u:object_r:unlabeled_t:s0
  • Remove a label "netlabelctl unlbl del default|interface:<DEV> address:<ADDR>[/<MASK>]" DEV = interface ADDR = IP address MASK = size of address mask
Examples:
# netlabelctl unlbl del default address:10.0.0.0/8
# netlabelctl unlbl del interface:eth0 address:192.168.0.1
# netlabelctl unlbl del interface:lo address:::1
  • Show labels "netlabelctl -p unlbl list"
Examples:
# netlabelctl unlbl list
# netlabelctl -p unlbl list

If you have any questions/problems/comments feel free to either drop me mail privately or post something to the list.

Thanks. -- paul moore linux security @ hp - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html