[redhat-lspp] [RFC 0/7] Updated NetLabel patch
Paul Moore
paul.moore at hp.com
Thu Jun 22 03:40:59 UTC 2006
On Wednesday 21 June 2006 10:17 pm, Klaus Weidner wrote:
> [ removed some of the mailing lists from Cc: ]
Thank you.
> On Wed, Jun 21, 2006 at 03:42:35PM -0400, paul.moore at hp.com wrote:
> > This is an updated version of the NetLabel patch I sent out on May 25th.
> > It contains a variety of fixes and incorporates comments from James
> > Morris, Stephen Smalley, and Steve Grubb. An intermediate version of
> > this patch set has also been tested against Trusted Solaris and HP-UX CMW
> > for CIPSO interoperability. I have tested this patch set on x86 and
> > x86_64 architectures running both the targeted/enforcing and
> > mls/permissive SELinux policies.
>
> Thanks for the patch and instructions!
No problem, thanks for testing!
> Unfortunately, I couldn't get this working by following your README, the
> "netlabelctl mgmt add default protocol:cipsov4,1" command fails, with the
> following trace from GDB (I didn't see any other easy way to get debug
> output, see also below):
Wow, that's dedication ... I owe you an apology as it now occurs to me that
the README omits an important detail - if you are using the lspp.* kernels
from Steve or you are building your own kernels and you have enabled
CONFIG_NETLABEL_UNLABELED_DEFAULT the kernel will automatically do the
following commands at boot (it doesn't run the actual user space command, it
just does the equivalent inside the kernel):
# netlabelctl mgmt add default protocol:unlbl
# netlabelctl unlbl accept on
... which has the effect on configuring NetLabel to both accept incoming
unlabeled packets as well as send all packets unlabeled by default. Since
the NetLabel subsystem already has a default domain mapping installed ("mgmt
add default protocol:unlbl") it fails when you try to add a new default
mapping. So, once you boot your kernel you should probably run the following
commands before you configure the machine to use CIPSO:
# netlabelctl -p mgmt del default
# netlabelctl -p unlbl accept off <---- OPTIONAL
Let me know if this doesn't solve your problem.
> Some comments about the userspace tools:
Thanks for the feedback and the patches; I'll apply those changes, add a
notice about the default configuration (see above) and put out a new tarball
soon.
That said, I haven't spent hardly any time at all on the netlabel_tools, just
enough to get them running and somewhat usable. My main focus has been the
kernel parts of NetLabel. As a result the netlabel_tools are not my finest
work and I expect a lot of it to get reworked once the kernel portion
stabilizes.
> I've tried running "netlabelctl -p mgmt list" in enforcing mode as
> sysadm_r or secadm_r the with current rawhide MLS policy:
>
> socket(PF_NETLINK, SOCK_RAW, 17) = -1 EACCES (Permission denied)
>
> Does it need extra policy or labels to run in enforcing mode? For my
> tests, I've configured it in nonenforcing mode, then switched to
> enforcing mode.
Yes, the NetLabel subsystem uses a NETLINK socket to communicate with userland
and as you can see there is now SELinux code to protect that socket but sadly
no policy as of yet. Once again, like the netlabel_tools, once the kernel
patch works itself out I'll get to work writing some policy for this.
In the meantime you will have to get by with MLS/permissive or patch your
policy.
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list