[redhat-lspp] Labeled networking MLS constraints?
Paul Moore
paul.moore at hp.com
Tue Oct 17 15:17:49 UTC 2006
Klaus Weidner wrote:
> On Tue, Oct 17, 2006 at 08:36:07AM -0400, Paul Moore wrote:
>
>>On Monday 16 October 2006 9:49 pm, Klaus Weidner wrote:
>>
>>>For recvmsg/recvfrom with unconnected sockets (for example UDP), that
>>>should mean that incoming packets get dropped in the packet/socket check,
>>>and that the read call will never fail due to missing MLS rights - it
>>>just won't get any data.
>>
>>I'm only going to speak about the recvfrom permission as that is what
>>NetLabel/CIPSO uses, if I remember correctly recvmsg is only used by the
>>compat_net method of determining local packet labels.
>
> I had meant the recvfrom() system call/library function, not the name
> used in the constraints. Are the access check locations the same with and
> without compat_net?
Yes, the socket access checks are the same regardless of the compat_net setting.
>>There are basically two checks a packet with CIPSO tagging must face before it
>>can be "read" by a process. The first check is a check between the generated
>>(explained above) NetLabel packet context and the receiving socket's context;
>>this uses the "recvfrom" permission. The second check is between the
>>processes' domain and the socket's context; this uses the normal socket read
>>permissions.
>
> If I understand things right, the first check would generally succeed for
> packets within open TCP sessions (assuming no packet tampering) since the
> socket MLS label was set based on the handshake packets, and the second
> check is the security enforcing one that ensures the process can't
> read/write at the wrong level?
Yep.
>>>For sendto/sendmsg, the MLS check would happen at
>>>the receiving machine, does this mean that there is no MLS enforcement
>>>for sending packets out at this level? Will they get dropped if there is
>>>no valid CIPSO DOI mapping or SELinux SA?
>>
>>NetLabel does not impose any additional restrictions on sending data (other
>>then denying the send if it can not label the data as intended by the
>>configuration). This is largely due to the fact that CIPSO does not do any
>>sort of negotiation between hosts; it simply attaches the security attributes
>>to a packet and dumps the packet on the wire.
>
> So if you configure a DOI that only defines certain levels and categories
> (say, up to s1:c0.c7), does that ensure that packets won't be sent out at
> higher levels?
If NetLabel can't send a packet with a label for whatever reason (out of memory,
undefined MLS label mapping <what you described above>, etc) it will fail. On
the receive end if NetLabel sees a CIPSO tag with a MLS label that it can't map
to a local MLS label it drops the packet before it even hits the SELinux checks.
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list