lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 14 Jan 2009 17:36:43 -0500
From:	Paul Moore <paul.moore@...com>
To:	"Justin P. Mattock" <justinmattock@...il.com>
Cc:	linux-kernel@...r.kernel.org, linux-wireless@...r.kernel.org,
	"SE-Linux" <selinux@...ho.nsa.gov>
Subject: Re: netlabel: UNLABELED ath9k not denying unlabeled traffic

On Wednesday 14 January 2009 4:35:25 pm Justin P. Mattock wrote:
> Anyways heres what I'm trying to achieve:
>
> default looks like this:
> Configured NetLabel domain mappings(1)
> domain: DEFAULT
>     protocol: UNLABELED
>
> I want to try and have three of these for the
> different types of media:
> (in theory)
> Configured NetLabel domain mappings(3)
> domain:radio
>    protocol: UNLABELED
> domain:T.V.
>    protocol: UNLABELED
> domain:web
>    protocol: UNLABELED
> (and if possible three different tags(either 1,2,5), but probably can
> only do that with cipsov4);

Actually, in your case you are probably always going to want to send 
network traffic without any labels attached to the packets (no labeled 
IPsec or CIPSO) so you can stick with the default domain mapping 
configuration which sends all packets "unlabeled".  The part you should 
be concerned about is the static/fallback configuration which assigns 
network peer labels to packets which do not have labels attached to 
them by the remote host.

NOTE: the domain mapping configuration only controls how outbound 
network traffic is labeled on-the-wire; it "maps" the 
LSM/SELinux "domains" to a specific labeling protocol configuration, 
e.g. all apache_t traffic should be labeled with CIPSO DOI 3 while all 
firefox_t traffic should not be labeled at all.

> heres what I've come up with so far:
>
> netlabelctl -p map del default
>
> netlabelctl unlbl add domain:radio interface:wlan0 address:<myadd>
> label:system_u:object_r:netlabel_peer_t:s0
> netlabelctl unlbl add domain:radio interface:wlan0 address:<radioadd>
> label:system_u:object_r:netlabel_peer_t:s0
>
> netlabelctl unlbl add domain:T.V. interface:wlan0 address:<myadd>
> label:system_u:object_r:netlabel_peer_t:s0
> netlabelctl unlbl add domain:T.V. interface:wlan0 address:<t.v.add>
> label:system_u:object_r:netlabel_peer_t:s0

I think what you mean to type is the following:

 # netlabelctl unlbl add interface:wlan0 address:<radioadd> \
       label:system_u:object_r:netlabel_peer_t:s0

... note there is no "domain" argument, that only exists 
for "netlabelctl map ..." commands.

NOTE: if you really want to get fancy you can create new SELinux domains 
for each type of media and add NetLabel configurations for those new 
domains.  Imagine you create a new "internet_radio_t" domain/type and 
only allow the "netplayer_t" domain (yeah, I made that up but you get 
the point) access to network traffic labeled with internet_radio_t.  
You would then use the following command to label your incoming traffic 
with NetLabel:

 # netlabelctl unlbl add interface:wlan0 address:<radioadd> \
       label:system_u:object_r:internet_radio_t:s0

NOTE: you can also skip the "interface:wlan0" argument and just 
use "default" instead if you want the configuration to apply to all 
your network interfaces; although bear in mind that the "default" 
configuration can be overridden by the interface specific 
configurations.

> As for the new capabilities, I don't mind trying that out when
> the time comes(but first I need to figure the this out before any
> other ways);

No problem, I understand.  Let me know if you have any more problems.

> here is what the error looks like:
>
> netlabel_tools-0.19# make
> INFO: creating the version header file
> .: 10: version_info: not found
> make: *** [include/version.h] Error 2

Huh, can you try the following:

 1. Open the netlabel_tools-0.19/Makefile in your favorite editor
 2. Change the ". version_info; \" line to "source ./version_info; \"
 3. Save your changes
 4. Try running "make" again

Thanks.

-- 
paul moore
linux @ hp
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ