[redhat-lspp] Labeled networking MLS constraints?

Paul Moore paul.moore at hp.com
Tue Oct 17 15:17:49 UTC 2006 

Klaus Weidner wrote:
> On Tue, Oct 17, 2006 at 08:36:07AM -0400, Paul Moore wrote:
> 
>>On Monday 16 October 2006 9:49 pm, Klaus Weidner wrote:
>>
>>>For recvmsg/recvfrom with unconnected sockets (for example UDP), that
>>>should mean that incoming packets get dropped in the packet/socket check,
>>>and that the read call will never fail due to missing MLS rights - it
>>>just won't get any data.
>>
>>I'm only going to speak about the recvfrom permission as that is what 
>>NetLabel/CIPSO uses, if I remember correctly recvmsg is only used by the 
>>compat_net method of determining local packet labels.
>  
> I had meant the recvfrom() system call/library function, not the name
> used in the constraints. Are the access check locations the same with and
> without compat_net?

Yes, the socket access checks are the same regardless of the compat_net setting.

>>There are basically two checks a packet with CIPSO tagging must face before it 
>>can be "read" by a process.  The first check is a check between the generated 
>>(explained above) NetLabel packet context and the receiving socket's context; 
>>this uses the "recvfrom" permission.  The second check is between the 
>>processes' domain and the socket's context; this uses the normal socket read 
>>permissions.
> 
> If I understand things right, the first check would generally succeed for
> packets within open TCP sessions (assuming no packet tampering) since the
> socket MLS label was set based on the handshake packets, and the second
> check is the security enforcing one that ensures the process can't
> read/write at the wrong level?

Yep.

>>>For sendto/sendmsg, the MLS check would happen at 
>>>the receiving machine, does this mean that there is no MLS enforcement
>>>for sending packets out at this level? Will they get dropped if there is
>>>no valid CIPSO DOI mapping or SELinux SA?
>>
>>NetLabel does not impose any additional restrictions on sending data (other 
>>then denying the send if it can not label the data as intended by the 
>>configuration).  This is largely due to the fact that CIPSO does not do any 
>>sort of negotiation between hosts; it simply attaches the security attributes 
>>to a packet and dumps the packet on the wire.
> 
> So if you configure a DOI that only defines certain levels and categories
> (say, up to s1:c0.c7), does that ensure that packets won't be sent out at
> higher levels?

If NetLabel can't send a packet with a label for whatever reason (out of memory,
undefined MLS label mapping <what you described above>, etc) it will fail.  On
the receive end if NetLabel sees a CIPSO tag with a MLS label that it can't map
to a local MLS label it drops the packet before it even hits the SELinux checks.

-- 
paul moore
linux security @ hp

More information about the redhat-lspp mailing list