[redhat-lspp] Netlabel/CIPSO toy policy module
Paul Moore
paul.moore at hp.com
Thu Jun 29 12:42:38 UTC 2006
On Wednesday 28 June 2006 7:03 pm, Klaus Weidner wrote:
> Hello,
>
> I've hacked together a very simple policy module to allow testing CIPSO
> with MLS constraints, which was surprisingly easy once I found out where
> to start... Kudos to Paul Moore and the Tresys folks for the code and
> documentation!
>
Thanks Klaus!
>
> ## configure CIPSO
> ##
> ## Make sure you use a local or serial console for testing, it will
> ## reject unlabeled packets from your SSH session (which is the entire
> ## point of CIPSO...)
>
> setenforce 0
With the latest patch (and the lspp.40 kernel) you probably won't need to
switch into permissive mode to configure NetLabel for the time being. The
reason is that the new patch uses the Generic NETLINK interface which does
not yet have any SELinux hooks. However, rest assured the important parts of
the NetLabel NETLINK interface are protected with CAP_NET_ADMIN.
> netlabelctl cipsov4 add std doi:1 tags:1 levels:0=0,1=1,2=2
> categories:0=0,1=1,2=2
If you don't care about verifying and/or mapping remote levels/categories to
local values (i.e. you want to just pass the values straight through) you do
the following which should save some typing:
# netlabelctl cipsov4 add pass doi:1 tags:1
then proceed with the commands Klaus posted.
> netlabelctl mgmt del default
> netlabelctl mgmt add default protocol:cipsov4,1
> netlabelctl unlbl accept off
> setenforce 1
>
> ## now try some netcats
> newrole -r sysadm_r -l s1-s1
> nc -l 3333
>
> newrole -r sysadm_r -l s2-s2
> nc localhost 3333
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list