Klaus Weidner wrote: > On Tue, Oct 17, 2006 at 08:36:07AM -0400, Paul Moore wrote: > >>On Monday 16 October 2006 9:49 pm, Klaus Weidner wrote: >> >>>For recvmsg/recvfrom with unconnected sockets (for example UDP), that >>>should mean that incoming packets get dropped in the packet/socket check, >>>and that the read call will never fail due to missing MLS rights - it >>>just won't get any data. >> >>I'm only going to speak about the recvfrom permission as that is what >>NetLabel/CIPSO uses, if I remember correctly recvmsg is only used by the >>compat_net method of determining local packet labels. > > I had meant the recvfrom() system call/library function, not the name > used in the constraints. Are the access check locations the same with and > without compat_net?
Yes, the socket access checks are the same regardless of the compat_net setting. >>There are basically two checks a packet with CIPSO tagging must face before >>it >>can be "read" by a process. The first check is a check between the generated >>(explained above) NetLabel packet context and the receiving socket's context; >>this uses the "recvfrom" permission. The second check is between the >>processes' domain and the socket's context; this uses the normal socket read >>permissions. > > If I understand things right, the first check would generally succeed for > packets within open TCP sessions (assuming no packet tampering) since the > socket MLS label was set based on the handshake packets, and the second > check is the security enforcing one that ensures the process can't > read/write at the wrong level? Yep. >>>For sendto/sendmsg, the MLS check would happen at >>>the receiving machine, does this mean that there is no MLS enforcement >>>for sending packets out at this level? Will they get dropped if there is >>>no valid CIPSO DOI mapping or SELinux SA? >> >>NetLabel does not impose any additional restrictions on sending data (other >>then denying the send if it can not label the data as intended by the >>configuration). This is largely due to the fact that CIPSO does not do any >>sort of negotiation between hosts; it simply attaches the security attributes >>to a packet and dumps the packet on the wire. > > So if you configure a DOI that only defines certain levels and categories > (say, up to s1:c0.c7), does that ensure that packets won't be sent out at > higher levels? If NetLabel can't send a packet with a label for whatever reason (out of memory, undefined MLS label mapping <what you described above>, etc) it will fail. On the receive end if NetLabel sees a CIPSO tag with a MLS label that it can't map to a local MLS label it drops the packet before it even hits the SELinux checks. -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
