You are viewing paulmoore

Previous Entry | Next Entry

paulmoore
Perhaps one of the largest shortcomings of the CIPSO network labeling protocol when used with SELinux is the fact that it can only convey the SELinux MLS attributes across the network.  There are plenty of good reasons for this: strict conformance with protocol specification, limited space in the IPv4 header, interoperability with non-SELinux systems, etc.  However, regardless of the reasons why, there will always be use cases where it would be very nice to have the full SELinux label without the performance, scalability and management overhead of labeled IPsec.  While I can't say I have solution for all of those use cases, today I am going to let you in on one of NetLabel's best kept secrets: NetLabel and CIPSO can convey the full SELinux label over local connections, and it has been able to do so for years.

Now, before I got into the details of "how", I just want to be clear that what I'm about to tell you isn't really a secret, it just hasn't been very well publicized.  After all, I'm not sure how it could be a secret when the code is available for anyone and everyone to review and inspect.  Further, the "how" is even documented in the netlabelctl manpage, so if this capability is NetLabel's best kept secret it has clearly been hiding in plain sight.

Enough of the "secret", let's explain how to get this working.  First off, if you're going to try this on your own system (any modern Linux distribution that supports SELinux and NetLabel should work), you might want to grab a copy of the getpeercon_server test tool that I've used in the example below; instructions for building the test tool are at the top of the file.  Once you've got everything built and you've verified that your SELinux and NetLabel installation is working as you would expect, you need to start off by configuring the CIPSO Domains Of Interpretation (DOI).  For this example we are going to create two DOIs, one using the standard, MLS-only passthrough type and the other using the local-connection-only full SELinux type.  Don't forget that you can always check the netlabelctl manpage for more information on the commands below.

# netlabelctl cipsov4 add pass doi:1 tags:1
# netlabelctl cipsov4 add local doi:2
# netlabelctl -p cipsov4 list
Configured CIPSOv4 mappings (2)
DOI value : 1
mapping type : PASS_THROUGH
DOI value : 2
mapping type : LOCAL

After you've setup the CIPSO DOI's you need to configure NetLabel to send traffic using these new DOIs.  In our example we are going to configure the system such that traffic sent to 127.0.0.1 (localhost) will use DOI #2, the local-only full SELinux label DOI, and traffic sent to 10.250.2.92 (the system's eth0 address) will use DOI #1, the normal MLS-only DOI.  Don't forget that we first need to remove the default unlabeled mapping so we can use the address selectors.

# netlabelctl map del default
# netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
# netlabelctl map add default address:::/0 protocol:unlbl
# netlabelctl map add default address:127.0.0.1 protocol:cipsov4,2
# netlabelctl map add default address:10.250.2.92 protocol:cipsov4,1
# netlabelctl -p map list
Configured NetLabel domain mappings (1)
domain: DEFAULT
address: 127.0.0.1/32
protocol: CIPSOv4, DOI = 2
address: 10.250.2.92/32
protocol: CIPSOv4, DOI = 1
address: 0.0.0.0/0
protocol: UNLABELED
address: ::/0
protocol: UNLABELED

With that we're finished, now it's time to test it out.  Testing is quite simple, make sure you have a TCP client like telnet or netcat installed and then start the getpeercon_server test tool you built earlier; in this example getpeercon_server is listening on TCP port 5000.

# ./getpeercon_server 5000
-> running as unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-> creating socket ... ok
-> listening on TCP port 5000 ... ok
-> waiting ... connect(10.250.2.92,system_u:object_r:netlabel_peer_t:s0)
Connected to 10.250.2.92:5000
-> connection closed
-> waiting ... connect(127.0.0.1,unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023)
Connected to 127.0.0.1 5000
-> connection closed
-> waiting ...

It works! When we connected to 10.250.2.92 we saw the familiar "netlabel_peer_t" type, but when we connected to 127.0.0.1 we saw the full SELinux label of our telnet client process, "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023".  Go ahead and try it out for yourself, just remember that you can only use the "local" DOI type on network connections that run over the loopback network interface.
counter create hit

Comments

( 6 comments — Leave a comment )
(Anonymous)
Feb. 6th, 2013 11:53 am (UTC)
If I want to send complete SELinux security context (including MLS level) over network (and not over the loopback network interface) then can you suggest any suitable way for this?
paulmoore
Feb. 6th, 2013 04:02 pm (UTC)
At present the only way to send the entire SELinux security context over the network is with labeled IPsec. A word of caution about labeled IPsec, it only works with other Linux/SELinux systems and those systems should be using the same type/version of the SELinux policy to avoid any problems with the SELinux context's having different meanings on the two systems.
(Anonymous)
Feb. 12th, 2013 05:41 am (UTC)
Does labeled IPSec works with InfiniBand and/or IP over InfiniBand?
If not then is there any way to send the entire SELinux security context over the InfiniBand or IP over InfiniBand network?
paulmoore
Feb. 12th, 2013 02:47 pm (UTC)
Labeled IPsec is like traditional IPsec in that it runs on top of IPv4 or IPv6. While I've personally never tested labeled IPsec running on non-Ethernet based networks, as long as IP is supported properly I see no reason why labeled IPsec would not work over IP/InfiniBand.
(Anonymous)
Feb. 13th, 2013 09:53 am (UTC)
In my case data transfer is over InfiniBand network and we are using IP just for identification of nodes in network.
Now is it possible to send complete security context over this InfiniBand network using labeled IPSec?
If yes then can you give short explanation of how it can be done?
paulmoore
Feb. 13th, 2013 02:20 pm (UTC)
As I mentioned previously, I do not have any personal experience with InfiniBand networking. If your current InfiniBand network does not use IP based networking I do not believe you will be able to use labeled IPsec.
( 6 comments — Leave a comment )

Profile

paulmoore
paulmoore
Paul Moore

Latest Month

September 2012
S M T W T F S
      1
2345678
9101112131415
16171819202122
23242526272829
30      
Powered by LiveJournal.com
Designed by Tiffany Chow