Log in

No account? Create an account

Previous Entry | Next Entry

Perhaps one of the largest shortcomings of the CIPSO network labeling protocol when used with SELinux is the fact that it can only convey the SELinux MLS attributes across the network.  There are plenty of good reasons for this: strict conformance with protocol specification, limited space in the IPv4 header, interoperability with non-SELinux systems, etc.  However, regardless of the reasons why, there will always be use cases where it would be very nice to have the full SELinux label without the performance, scalability and management overhead of labeled IPsec.  While I can't say I have solution for all of those use cases, today I am going to let you in on one of NetLabel's best kept secrets: NetLabel and CIPSO can convey the full SELinux label over local connections, and it has been able to do so for years.

Now, before I got into the details of "how", I just want to be clear that what I'm about to tell you isn't really a secret, it just hasn't been very well publicized.  After all, I'm not sure how it could be a secret when the code is available for anyone and everyone to review and inspect.  Further, the "how" is even documented in the netlabelctl manpage, so if this capability is NetLabel's best kept secret it has clearly been hiding in plain sight.

Enough of the "secret", let's explain how to get this working.  First off, if you're going to try this on your own system (any modern Linux distribution that supports SELinux and NetLabel should work), you might want to grab a copy of the getpeercon_server test tool that I've used in the example below; instructions for building the test tool are at the top of the file.  Once you've got everything built and you've verified that your SELinux and NetLabel installation is working as you would expect, you need to start off by configuring the CIPSO Domains Of Interpretation (DOI).  For this example we are going to create two DOIs, one using the standard, MLS-only passthrough type and the other using the local-connection-only full SELinux type.  Don't forget that you can always check the netlabelctl manpage for more information on the commands below.

# netlabelctl cipsov4 add pass doi:1 tags:1
# netlabelctl cipsov4 add local doi:2
# netlabelctl -p cipsov4 list
Configured CIPSOv4 mappings (2)
DOI value : 1
mapping type : PASS_THROUGH
DOI value : 2
mapping type : LOCAL

After you've setup the CIPSO DOI's you need to configure NetLabel to send traffic using these new DOIs.  In our example we are going to configure the system such that traffic sent to (localhost) will use DOI #2, the local-only full SELinux label DOI, and traffic sent to (the system's eth0 address) will use DOI #1, the normal MLS-only DOI.  Don't forget that we first need to remove the default unlabeled mapping so we can use the address selectors.

# netlabelctl map del default
# netlabelctl map add default address: protocol:unlbl
# netlabelctl map add default address:::/0 protocol:unlbl
# netlabelctl map add default address: protocol:cipsov4,2
# netlabelctl map add default address: protocol:cipsov4,1
# netlabelctl -p map list
Configured NetLabel domain mappings (1)
domain: DEFAULT
protocol: CIPSOv4, DOI = 2
protocol: CIPSOv4, DOI = 1
protocol: UNLABELED
address: ::/0
protocol: UNLABELED

With that we're finished, now it's time to test it out.  Testing is quite simple, make sure you have a TCP client like telnet or netcat installed and then start the getpeercon_server test tool you built earlier; in this example getpeercon_server is listening on TCP port 5000.

# ./getpeercon_server 5000
-> running as unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-> creating socket ... ok
-> listening on TCP port 5000 ... ok
-> waiting ... connect(,system_u:object_r:netlabel_peer_t:s0)
Connected to
-> connection closed
-> waiting ... connect(,unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023)
Connected to 5000
-> connection closed
-> waiting ...

It works! When we connected to we saw the familiar "netlabel_peer_t" type, but when we connected to we saw the full SELinux label of our telnet client process, "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023".  Go ahead and try it out for yourself, just remember that you can only use the "local" DOI type on network connections that run over the loopback network interface.
counter create hit


( 6 comments — Leave a comment )
Feb. 6th, 2013 11:53 am (UTC)
If I want to send complete SELinux security context (including MLS level) over network (and not over the loopback network interface) then can you suggest any suitable way for this?
Feb. 6th, 2013 04:02 pm (UTC)
At present the only way to send the entire SELinux security context over the network is with labeled IPsec. A word of caution about labeled IPsec, it only works with other Linux/SELinux systems and those systems should be using the same type/version of the SELinux policy to avoid any problems with the SELinux context's having different meanings on the two systems.
Feb. 12th, 2013 05:41 am (UTC)
Does labeled IPSec works with InfiniBand and/or IP over InfiniBand?
If not then is there any way to send the entire SELinux security context over the InfiniBand or IP over InfiniBand network?
Feb. 12th, 2013 02:47 pm (UTC)
Labeled IPsec is like traditional IPsec in that it runs on top of IPv4 or IPv6. While I've personally never tested labeled IPsec running on non-Ethernet based networks, as long as IP is supported properly I see no reason why labeled IPsec would not work over IP/InfiniBand.
Feb. 13th, 2013 09:53 am (UTC)
In my case data transfer is over InfiniBand network and we are using IP just for identification of nodes in network.
Now is it possible to send complete security context over this InfiniBand network using labeled IPSec?
If yes then can you give short explanation of how it can be done?
Feb. 13th, 2013 02:20 pm (UTC)
As I mentioned previously, I do not have any personal experience with InfiniBand networking. If your current InfiniBand network does not use IP based networking I do not believe you will be able to use labeled IPsec.
( 6 comments — Leave a comment )


Paul Moore

Latest Month

August 2015
Powered by LiveJournal.com
Designed by Tiffany Chow