[redhat-lspp] mls level to without classification

Stephen Smalley sds at tycho.nsa.gov
Wed Aug 23 13:11:03 UTC 2006 

On Tue, 2006-08-22 at 19:20 -0400, James Morris wrote:
> On Tue, 22 Aug 2006, Joe Nall wrote:
> 
> > 
> > On Aug 22, 2006, at 11:43 AM, George C. Wilson wrote:
> > 
> > > Is it acceptable to make use of the old controls for the certified
> > > configuration?  Or must we migrate to secmark?  We want to avoid  
> > > having to
> > > document and test secmark so that we don't increase the scope of  
> > > the TOE.
> > 
> > Two questions:
> >   1) Without secmark, is it possible to label an IP address?
> 
> Yes.  You can label 'nodes' (addr/mask), ports and interfaces.
> 
> >   2) If secmark is present and enabled in RH5, how do you
> >      remove it from the TOE? By administrative fiat or real
> >      code change?
> 
> You can disable secmark controls at boot or runtime:
> 
> /usr/src/linux/Documentation/kernel-parameters.txt
> 
>         selinux_compat_net =
>                         [SELINUX] Set initial selinux_compat_net flag value.
>                         Format: { "0" | "1" }
>                         0 -- use new secmark-based packet controls
>                         1 -- use legacy packet controls
>                         Default value is 0 (preferred).
>                         Value can be changed at runtime via
>                         /selinux/compat_net.

Unfortunately, that isn't useful at present because libselinux
automatically sets /selinux/compat_net at policy load time based on
whether the policy contains a packet class definition.  That was an
attempt to automatically detect the right setting and apply it based on
the policy being loaded.

So if they want to use compat_net for the certification, we need to do
one of the following:
1) Fork MLS policy from the refpolicy base, stripping the packet class
from it and all associated rules, so that libselinux will automatically
disable secmark at policy load time.  I don't think we want to do this.
2) Revert the change to libselinux that automatically sets compat_net,
and instead set it manually, whether via a kernel boot parameter setting
(e.g. from grub.conf) or via /selinux/compat_net (e.g. from rc.sysinit
or even later, as long as it happens before networking is enabled).  I
can do that, just let me know.

-- 
Stephen Smalley
National Security Agency

More information about the redhat-lspp mailing list