| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <48E3AB97.8020305@collax.com> Date: Wed, 01 Oct 2008 18:55:51 +0200 From: Tilman Baumann <tilman.baumann@...lax.com> To: Casey Schaufler <casey@...aufler-ca.com> CC: Linux-Kernel <linux-kernel@...r.kernel.org>, linux-security-module@...r.kernel.org Subject: Re: SMACK netfilter smacklabel socket match Casey Schaufler wrote: > Tilman Baumann wrote: >> Casey Schaufler wrote: >>> Smack will eventually bite you if you're not careful, but users of >>> MAC systems wouldn't be surprised by that. >> Speaking of the devil... >> This is exactly what happened to me right now. I have problems with >> _some_ https connects. The problem lies somewhere in openssl. >> I did not yet find any clue with strace. >> Is there some straight forward way to audit/debug LSM interventions? > > strace is probably your best bet, as it will tell you what syscalls > fail. Your current situation is most likely a case where your program > running with a label "Foo" is trying to communicate with a service on > a machine that doesn't talk CIPSO and hence Smack is treating all > packets to and from that host with the ambient (%cat /smack/ambient) > label, which is "_" unless you've changed it. Yea, I just found that out. I did not expect smack to add netlabels by default. I thought I would need to configure something before it will start adding netlabels 'on the wire'. In my case 'security' is something that should only concern the local machine. Unfortunately I never bothered to test this before. :-/ If I set /smack/nltype to 'unlabeled' I have effectively shut off the network. I guess I'm missing some essential point here. Sorry to bother you with such trivialities. btw. I find it very hard to find informations on the various files in /smack/ and it's respective intention and formating rules. security/smack/smackfs.c helps a bit. This is my current setup: /smack/ambient (default) /smack/load = _ foo rwx Unlabeled process work fine. Labeled processes produce CIPSO labeled packets (which never get any answer anywhere from the internet) If i set /smack/nltype to 'unlabled' i don't even get SYN packets out. (operation not permitted) -- Tilman Baumann Software Developer Collax GmbH . Boetzinger Strasse 60 . 79111 Freiburg . Germany p: +49 (0) 89-990157-0 f: +49 (0) 89-990157-11 Geschaeftsfuehrer: William K. Hite / Boris Nalbach AG Muenchen HRB 158898, Ust.-IdNr: DE 814464942 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists