Re: SELinux system configuration using CIPSO
On 11/22/2016 1:42 PM, Paul Moore wrote: > On Tue, Nov 22, 2016 at 12:32 PM, Stephen Smalley wrote: >> On 11/22/2016 11:44 AM, Richard Haines wrote: >>> On Tue, 2016-11-15 at 09:28 -0800, Casey Schaufler wrote: I am looking for an SELinux configuration that uses CIPSO. Ideally, it would be based on a readily available distro, but I'm willing to perform semi-heroic acts if I have too. I'm not in a position to develop it myself, nor would that really suit my nefarious purposes. Thank you. >>> I put this together out of idle curiosity using the targeted policy as >>> no policy updates are required only netlabelctl commands. If you need >>> something else like policy config let me know and I'll see what I can >>> do. >> Hmm...wondering how hard it would be to add this to the >> selinux-testsuite, possibly run via a new Makefile target separate from >> the rest of the tests since it requires setting up two machines. > Thanks for putting that together Richard. Indeed. I have attached a tarball containing: - A Makefile for compiling and running the demos - The programs, in their respective files - The original message The programs and Makefile need copyrights and licenses. I've changed the program names so they're less generic. I execute the programs from the current directory rather than installing them in a public place. I have made no effort to make this work anywhere but on Fedora. A cool enhancement would be to auto-detect whether you're running on MachineA or MachineB. Maybe in the next round. I am also thinking about a "one-shot" option in the server and remote execution.' In any case, this is very helpful. Thank you. (Bwah Hah Hah) > I'm all for inclusion into the selinux-testsuite so long as the > default remains single host. However, for the record there is almost > *zero* difference between loopback and remote CIPSO communication so > long as the standard tags are used; if you use the "local" > configuration the code paths are the same, we just do some nasty > tricks to pass the full SELinux label (yes, the user:role:type info as > well as a ranged MLS label) and intentionally munge the checksum in > case the packets ever finds itself on the wire. > > I also hope to merge the CALIPSO support into the netlabel_tools > package soon, I just need to finish sorting out some completely > unrelated audit multicast and queue problems first ... > cipso-demo.tar Description: Binary data ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: SELinux system configuration using CIPSO
On Tue, Nov 22, 2016 at 12:32 PM, Stephen Smalley wrote: > On 11/22/2016 11:44 AM, Richard Haines wrote: >> On Tue, 2016-11-15 at 09:28 -0800, Casey Schaufler wrote: >>> I am looking for an SELinux configuration that uses CIPSO. >>> Ideally, it would be based on a readily available distro, >>> but I'm willing to perform semi-heroic acts if I have too. >>> I'm not in a position to develop it myself, nor would that >>> really suit my nefarious purposes. Thank you. >>> >> I put this together out of idle curiosity using the targeted policy as >> no policy updates are required only netlabelctl commands. If you need >> something else like policy config let me know and I'll see what I can >> do. > > Hmm...wondering how hard it would be to add this to the > selinux-testsuite, possibly run via a new Makefile target separate from > the rest of the tests since it requires setting up two machines. Thanks for putting that together Richard. I'm all for inclusion into the selinux-testsuite so long as the default remains single host. However, for the record there is almost *zero* difference between loopback and remote CIPSO communication so long as the standard tags are used; if you use the "local" configuration the code paths are the same, we just do some nasty tricks to pass the full SELinux label (yes, the user:role:type info as well as a ranged MLS label) and intentionally munge the checksum in case the packets ever finds itself on the wire. I also hope to merge the CALIPSO support into the netlabel_tools package soon, I just need to finish sorting out some completely unrelated audit multicast and queue problems first ... -- paul moore www.paul-moore.com ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: SELinux system configuration using CIPSO
On 11/22/2016 11:44 AM, Richard Haines wrote: > On Tue, 2016-11-15 at 09:28 -0800, Casey Schaufler wrote: >> I am looking for an SELinux configuration that uses CIPSO. >> Ideally, it would be based on a readily available distro, >> but I'm willing to perform semi-heroic acts if I have too. >> I'm not in a position to develop it myself, nor would that >> really suit my nefarious purposes. Thank you. >> > I put this together out of idle curiosity using the targeted policy as > no policy updates are required only netlabelctl commands. If you need > something else like policy config let me know and I'll see what I can > do. Hmm...wondering how hard it would be to add this to the selinux-testsuite, possibly run via a new Makefile target separate from the rest of the tests since it requires setting up two machines. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: SELinux system configuration using CIPSO
On Tue, 2016-11-15 at 09:28 -0800, Casey Schaufler wrote: > I am looking for an SELinux configuration that uses CIPSO. > Ideally, it would be based on a readily available distro, > but I'm willing to perform semi-heroic acts if I have too. > I'm not in a position to develop it myself, nor would that > really suit my nefarious purposes. Thank you. > I put this together out of idle curiosity using the targeted policy as no policy updates are required only netlabelctl commands. If you need something else like policy config let me know and I'll see what I can do. > ___ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho > .nsa.gov.This is a simple CIPSO demo showing that separation across the network is possible where there are two services on machine A and two clients on machine B where client B1 can talk to service A1 but not A2 and client B2 can talk to service A2 but not A1. The demo shown requires: 1) Two systems with the NETLABEL kernel config and the "targeted" SELinux policy. Used Fedora 24 for demo as this does not require any additional configuration. 2) netlabel_tools and tcpdump installed on each system. 3) Machine "A" requires a server app installed and Machine "B" a client app. I've added the code below that can be copied and built/installed on each machine. Note that the binaries must be labeled bin_t so these were installed in /usr/local/bin. 4) The demo network used: -- Ethernet 193.168.1.65 -- | A1, A2 | <> | B1, B2 | -- 193.168.1.78 -- Basically the demo configures the network for CIPSO using netlabelctl(8) and then runs the client / server apps using runcon(1) with different levels. Because the targeted policy is being used there is only the single s0 sensitivity with 1024 categories, however I think it does show the basics. Demo 1 - Just prove the system works - On Machine A run a server from a terminal session: server On Machine B run a client from a terminal session: client 193.168.1.78 There should be output from each app with an example client: client 193.168.1.78 open socket - Peer Context: system_u:object_r:unlabeled_t:s0 connect - No Peer Context Available recv - No Peer Context Available Information from Server in RED: This is Message-1 from the server listening on port: Client source port: 40152 Server Context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Server Peer Context: No Peer Context Available Client Information in GREEN: Client Context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Client Peer Context: No Peer Context Available Now exit the server session. Demo 2 - Add cipso config -- On Machine A run the following to set up cipso: netlabelctl cipsov4 add pass doi:15 tags:5 netlabelctl map add domain:unconfined_t address:0.0.0.0/0 protocol:unlbl netlabelctl map add domain:unconfined_t address:193.168.1.65 protocol:cipsov4,15 netlabelctl -p map list On Machine B run: netlabelctl cipsov4 add pass doi:15 tags:5 netlabelctl map add domain:unconfined_t address:0.0.0.0/0 protocol:unlbl netlabelctl map add domain:unconfined_t address:193.168.1.78 protocol:cipsov4,15 netlabelctl -p map list The output from the "netlabelctl -p map list" command should be like: netlabelctl -p map list Configured NetLabel domain mappings (2) domain: "unconfined_t" address: 193.168.1.78/32 protocol: CIPSOv4, DOI = 15 address: 0.0.0.0/0 protocol: UNLABELED domain: DEFAULT protocol: UNLABELED If okay then run the sessions shown in Demo 3 using "tcpdump -x -i " to monitor the sessions. There is an example client tcpdump session showing the relevant info after the demos. Demo 3 - Check cipso network separation. - On Machine A run two servers from separate terminal sessions: A1 runcon -l s0:c10,c40.c50 server A2 runcon -l s0:c20,c100.c200 server On Machine B run two clients from separate terminal sessions: B1 -> A1 runcon -l s0:c10,c40.c45 client 193.168.1.78 B2 -> A2 runcon -l s0:c20,c100.c200 client 193.168.1.78 There should be valid output from each session, for example: runcon -l s0:c10,c40.c45 client 193.168.1.78 open socket - Peer Context: system_u:object_r:unlabeled_t:s0 connect - Peer Context: system_u:object_r:netlabel_peer_t:s0:c10,c40.c45 recv - Peer Context: system_u:object_r:netlabel_peer_t:s0:c10,c40.c45 Information from Server in RED: This is Message-1 from the server listening on port: Client source port: 40250 Server Context: unconfined_u:unconfined_r:unconfined_t:s0:c10,c40.c50 Server Peer Context: system_u:object_r:netlabel_peer_t:s0:c10,c40.c45 Client Informa
Re: SELinux system configuration using CIPSO
On 11/15/2016 3:52 PM, Harry Waddell wrote: > On Tue, 15 Nov 2016 15:07:34 -0800 > Casey Schaufler wrote: > >> On 11/15/2016 2:36 PM, Harry Waddell wrote: >>> On Tue, 15 Nov 2016 13:43:28 -0500 >>> Stephen Smalley wrote: >>> On 11/15/2016 01:34 PM, Casey Schaufler wrote: > On 11/15/2016 10:14 AM, Stephen Smalley wrote: >> On 11/15/2016 12:28 PM, Casey Schaufler wrote: >>> I am looking for an SELinux configuration that uses CIPSO. >>> Ideally, it would be based on a readily available distro, >>> but I'm willing to perform semi-heroic acts if I have too. >>> I'm not in a position to develop it myself, nor would that >>> really suit my nefarious purposes. Thank you. >> Can you clarify what you mean? There is a sample NetLabel configuration >> in the selinux-testsuite (in tests/inet_socket/netlabel-load) that >> configures full SELinux labeling over loopback connections, used by the >> inet_socket tests. And the corresponding SELinux policy rules for those >> tests can be found in policy/test_inet_socket.te within the testsuite. >> > That will probably get me started. I'll have a look at the test > documentation. I am also looking for a configuration that I can > use for exploring a "real" CIPSO environment, where two or more > machines are talking to each other using CIPSO. I think that I > understand how that is supposed to work, but there's nothing like > seeing the packets fly. Is there a case for that in the test suite? > Thank you. Not in the selinux-testsuite, since it doesn't presently require/expect you to set up two different systems. Probably the lspp testsuite or Paul Moore's blog or maybe the SELinux Notebook for samples of that kind of configuration. Note that in that cross-machine case, CIPSO only passes an encoding of the MLS label, not the user:role:type information. >>> In addition to the user:role:type information, there are other limits to >>> what >>> you can pass over the wire via netlabel due to the way the CIPSO >>> information is encoded >>> in the packet. >>> >>> You can only encode a single sensitivity because the CIPSO spec only stores >>> it in a >>> single integer. s0:c0.c1023 passes fine, but s0-s2:c0.c1023 will get >>> reduced to s0:c0.c1023. >>> >>> Unlike the sensitivity it is possible to pass some >>> fairly complex sets of categories. When you create a DOI, >>> you can specify how the categories will be encoded using a tag of 1, 2, or >>> 5. >>> ( these are bitmap, enumerated and range types respectively ) What >>> categories >>> can be passed via netlabel is dependent on the limits of these types. >>> >>> The bottom line is that it's entirely possible to have a valid context that >>> netlabel will not be able to fully preserve. Netlabel is still very useful, >>> but you have to remain mindful of its limitations. >>> >>> The above is based on my reading of the CIPSO spec and my experience with >>> netlabel. >>> It's entirely possible my understanding is incomplete and/or out of date. >>> Somone like Paul Moore >>> can speak with much greater authority. >>> >>> HW >> I understand CIPSO reasonably well, having been involved in >> its development back in the late 80's and early 90's*. What I'm >> looking for is a way to set up an SELinux system that uses >> CIPSO without having to learn all the gnarly details of SELinux >> network administration. A sample configuration would be a big >> help. >> >> --- >> * I was working at Sun, Silicon Graphics and Cray on B1 Unix systems. >> They used CIPSO long before the RFC was published. >> > It depends entirely on what you mean by "uses" I'd be happy with any sort of demo that shows you can preserve separation across the network. It could be as simple as having two services on machine A and two clients on machine B where client B1 can talk to service A1 but not A2 and client B2 can talk to service A2 but not A1. I'm not planning to implement anything in particular, I really just want to see that it can be done. Then I'm going to use it to ensure that changes I make don't break it. > and I totally get what you mean > when you say you don't want to learn about selinux net admin, but depending > on what you want to > do, I'm not sure you can get out of it. Paul Moore's blog posts are the best > thing I know of > but they break everything up into pieces, so AFAIK, there's no single example > that > is comprehensive. It certainly wasn't easy going for me as there are a lot of > parts that need to be set up. I now have what I need in a working state, > but I'm pretty sure at least some of what I've done would have been redundant > and unnecessary if I'd just taken the time to define my nodes, booleans, > etc... correctly. > > For example, I have this intended to allow ping to work: > > #= ping_t == > allow ping_t netlabel_peer_t:netif e
Re: SELinux system configuration using CIPSO
On Tue, 15 Nov 2016 15:07:34 -0800 Casey Schaufler wrote: > On 11/15/2016 2:36 PM, Harry Waddell wrote: > > On Tue, 15 Nov 2016 13:43:28 -0500 > > Stephen Smalley wrote: > > > >> On 11/15/2016 01:34 PM, Casey Schaufler wrote: > >>> On 11/15/2016 10:14 AM, Stephen Smalley wrote: > On 11/15/2016 12:28 PM, Casey Schaufler wrote: > > I am looking for an SELinux configuration that uses CIPSO. > > Ideally, it would be based on a readily available distro, > > but I'm willing to perform semi-heroic acts if I have too. > > I'm not in a position to develop it myself, nor would that > > really suit my nefarious purposes. Thank you. > Can you clarify what you mean? There is a sample NetLabel configuration > in the selinux-testsuite (in tests/inet_socket/netlabel-load) that > configures full SELinux labeling over loopback connections, used by the > inet_socket tests. And the corresponding SELinux policy rules for those > tests can be found in policy/test_inet_socket.te within the testsuite. > > >>> That will probably get me started. I'll have a look at the test > >>> documentation. I am also looking for a configuration that I can > >>> use for exploring a "real" CIPSO environment, where two or more > >>> machines are talking to each other using CIPSO. I think that I > >>> understand how that is supposed to work, but there's nothing like > >>> seeing the packets fly. Is there a case for that in the test suite? > >>> Thank you. > >> Not in the selinux-testsuite, since it doesn't presently require/expect > >> you to set up two different systems. Probably the lspp testsuite or > >> Paul Moore's blog or maybe the SELinux Notebook for samples of that kind > >> of configuration. Note that in that cross-machine case, CIPSO only > >> passes an encoding of the MLS label, not the user:role:type information. > >> > >> > > In addition to the user:role:type information, there are other limits to > > what > > you can pass over the wire via netlabel due to the way the CIPSO > > information is encoded > > in the packet. > > > > You can only encode a single sensitivity because the CIPSO spec only stores > > it in a > > single integer. s0:c0.c1023 passes fine, but s0-s2:c0.c1023 will get > > reduced to s0:c0.c1023. > > > > Unlike the sensitivity it is possible to pass some > > fairly complex sets of categories. When you create a DOI, > > you can specify how the categories will be encoded using a tag of 1, 2, or > > 5. > > ( these are bitmap, enumerated and range types respectively ) What > > categories > > can be passed via netlabel is dependent on the limits of these types. > > > > The bottom line is that it's entirely possible to have a valid context that > > netlabel will not be able to fully preserve. Netlabel is still very useful, > > but you have to remain mindful of its limitations. > > > > The above is based on my reading of the CIPSO spec and my experience with > > netlabel. > > It's entirely possible my understanding is incomplete and/or out of date. > > Somone like Paul Moore > > can speak with much greater authority. > > > > HW > > I understand CIPSO reasonably well, having been involved in > its development back in the late 80's and early 90's*. What I'm > looking for is a way to set up an SELinux system that uses > CIPSO without having to learn all the gnarly details of SELinux > network administration. A sample configuration would be a big > help. > > --- > * I was working at Sun, Silicon Graphics and Cray on B1 Unix systems. > They used CIPSO long before the RFC was published. > It depends entirely on what you mean by "uses" and I totally get what you mean when you say you don't want to learn about selinux net admin, but depending on what you want to do, I'm not sure you can get out of it. Paul Moore's blog posts are the best thing I know of but they break everything up into pieces, so AFAIK, there's no single example that is comprehensive. It certainly wasn't easy going for me as there are a lot of parts that need to be set up. I now have what I need in a working state, but I'm pretty sure at least some of what I've done would have been redundant and unnecessary if I'd just taken the time to define my nodes, booleans, etc... correctly. For example, I have this intended to allow ping to work: #= ping_t == allow ping_t netlabel_peer_t:netif egress; I did what I expect most people do which is to set it up and see what breaks. My work is definitely not good enough to be an example for others just yet. HW ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: SELinux system configuration using CIPSO
On 11/15/2016 2:36 PM, Harry Waddell wrote: > On Tue, 15 Nov 2016 13:43:28 -0500 > Stephen Smalley wrote: > >> On 11/15/2016 01:34 PM, Casey Schaufler wrote: >>> On 11/15/2016 10:14 AM, Stephen Smalley wrote: On 11/15/2016 12:28 PM, Casey Schaufler wrote: > I am looking for an SELinux configuration that uses CIPSO. > Ideally, it would be based on a readily available distro, > but I'm willing to perform semi-heroic acts if I have too. > I'm not in a position to develop it myself, nor would that > really suit my nefarious purposes. Thank you. Can you clarify what you mean? There is a sample NetLabel configuration in the selinux-testsuite (in tests/inet_socket/netlabel-load) that configures full SELinux labeling over loopback connections, used by the inet_socket tests. And the corresponding SELinux policy rules for those tests can be found in policy/test_inet_socket.te within the testsuite. >>> That will probably get me started. I'll have a look at the test >>> documentation. I am also looking for a configuration that I can >>> use for exploring a "real" CIPSO environment, where two or more >>> machines are talking to each other using CIPSO. I think that I >>> understand how that is supposed to work, but there's nothing like >>> seeing the packets fly. Is there a case for that in the test suite? >>> Thank you. >> Not in the selinux-testsuite, since it doesn't presently require/expect >> you to set up two different systems. Probably the lspp testsuite or >> Paul Moore's blog or maybe the SELinux Notebook for samples of that kind >> of configuration. Note that in that cross-machine case, CIPSO only >> passes an encoding of the MLS label, not the user:role:type information. >> >> > In addition to the user:role:type information, there are other limits to what > you can pass over the wire via netlabel due to the way the CIPSO information > is encoded > in the packet. > > You can only encode a single sensitivity because the CIPSO spec only stores > it in a > single integer. s0:c0.c1023 passes fine, but s0-s2:c0.c1023 will get reduced > to s0:c0.c1023. > > Unlike the sensitivity it is possible to pass some > fairly complex sets of categories. When you create a DOI, > you can specify how the categories will be encoded using a tag of 1, 2, or 5. > ( these are bitmap, enumerated and range types respectively ) What categories > can be passed via netlabel is dependent on the limits of these types. > > The bottom line is that it's entirely possible to have a valid context that > netlabel will not be able to fully preserve. Netlabel is still very useful, > but you have to remain mindful of its limitations. > > The above is based on my reading of the CIPSO spec and my experience with > netlabel. > It's entirely possible my understanding is incomplete and/or out of date. > Somone like Paul Moore > can speak with much greater authority. > > HW I understand CIPSO reasonably well, having been involved in its development back in the late 80's and early 90's*. What I'm looking for is a way to set up an SELinux system that uses CIPSO without having to learn all the gnarly details of SELinux network administration. A sample configuration would be a big help. --- * I was working at Sun, Silicon Graphics and Cray on B1 Unix systems. They used CIPSO long before the RFC was published. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: SELinux system configuration using CIPSO
On Tue, 15 Nov 2016 13:43:28 -0500 Stephen Smalley wrote: > On 11/15/2016 01:34 PM, Casey Schaufler wrote: > > On 11/15/2016 10:14 AM, Stephen Smalley wrote: > >> On 11/15/2016 12:28 PM, Casey Schaufler wrote: > >>> I am looking for an SELinux configuration that uses CIPSO. > >>> Ideally, it would be based on a readily available distro, > >>> but I'm willing to perform semi-heroic acts if I have too. > >>> I'm not in a position to develop it myself, nor would that > >>> really suit my nefarious purposes. Thank you. > >> Can you clarify what you mean? There is a sample NetLabel configuration > >> in the selinux-testsuite (in tests/inet_socket/netlabel-load) that > >> configures full SELinux labeling over loopback connections, used by the > >> inet_socket tests. And the corresponding SELinux policy rules for those > >> tests can be found in policy/test_inet_socket.te within the testsuite. > > > > That will probably get me started. I'll have a look at the test > > documentation. I am also looking for a configuration that I can > > use for exploring a "real" CIPSO environment, where two or more > > machines are talking to each other using CIPSO. I think that I > > understand how that is supposed to work, but there's nothing like > > seeing the packets fly. Is there a case for that in the test suite? > > Thank you. > > Not in the selinux-testsuite, since it doesn't presently require/expect > you to set up two different systems. Probably the lspp testsuite or > Paul Moore's blog or maybe the SELinux Notebook for samples of that kind > of configuration. Note that in that cross-machine case, CIPSO only > passes an encoding of the MLS label, not the user:role:type information. > > In addition to the user:role:type information, there are other limits to what you can pass over the wire via netlabel due to the way the CIPSO information is encoded in the packet. You can only encode a single sensitivity because the CIPSO spec only stores it in a single integer. s0:c0.c1023 passes fine, but s0-s2:c0.c1023 will get reduced to s0:c0.c1023. Unlike the sensitivity it is possible to pass some fairly complex sets of categories. When you create a DOI, you can specify how the categories will be encoded using a tag of 1, 2, or 5. ( these are bitmap, enumerated and range types respectively ) What categories can be passed via netlabel is dependent on the limits of these types. The bottom line is that it's entirely possible to have a valid context that netlabel will not be able to fully preserve. Netlabel is still very useful, but you have to remain mindful of its limitations. The above is based on my reading of the CIPSO spec and my experience with netlabel. It's entirely possible my understanding is incomplete and/or out of date. Somone like Paul Moore can speak with much greater authority. HW ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: SELinux system configuration using CIPSO
I'm somewhat limited the next few days with just my phone for network access, but the link below has some basic examples. The netlabelctl manpage may also be helpful. Finally, as Stephen already pointed out, the LSPP/audit-test project has some inter-machine CIPSO tests, but you will have to do some digging to get at the configuration examples. * http://www.paul-moore.com/blog/d/2009/02/netlabel-address-selectors.html -- paul moore www.paul-moore.com On November 15, 2016 1:56:22 PM Casey Schaufler wrote: > On 11/15/2016 10:43 AM, Stephen Smalley wrote: >> On 11/15/2016 01:34 PM, Casey Schaufler wrote: >>> On 11/15/2016 10:14 AM, Stephen Smalley wrote: On 11/15/2016 12:28 PM, Casey Schaufler wrote: > I am looking for an SELinux configuration that uses CIPSO. > Ideally, it would be based on a readily available distro, > but I'm willing to perform semi-heroic acts if I have too. > I'm not in a position to develop it myself, nor would that > really suit my nefarious purposes. Thank you. Can you clarify what you mean? There is a sample NetLabel configuration in the selinux-testsuite (in tests/inet_socket/netlabel-load) that configures full SELinux labeling over loopback connections, used by the inet_socket tests. And the corresponding SELinux policy rules for those tests can be found in policy/test_inet_socket.te within the testsuite. >>> That will probably get me started. I'll have a look at the test >>> documentation. I am also looking for a configuration that I can >>> use for exploring a "real" CIPSO environment, where two or more >>> machines are talking to each other using CIPSO. I think that I >>> understand how that is supposed to work, but there's nothing like >>> seeing the packets fly. Is there a case for that in the test suite? >>> Thank you. >> Not in the selinux-testsuite, since it doesn't presently require/expect >> you to set up two different systems. Probably the lspp testsuite or >> Paul Moore's blog or maybe the SELinux Notebook for samples of that kind >> of configuration. Note that in that cross-machine case, CIPSO only >> passes an encoding of the MLS label, not the user:role:type information. > > Yeah, the cross machine MLS only encoding is one of the things > that I'm most interested in examining carefully. I can't help > but think that that is something that could be somewhat tricky > to set up, which is why I'm hoping that there's an example I > can look at and play with. > > ___ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: SELinux system configuration using CIPSO
On 11/15/2016 10:43 AM, Stephen Smalley wrote: > On 11/15/2016 01:34 PM, Casey Schaufler wrote: >> On 11/15/2016 10:14 AM, Stephen Smalley wrote: >>> On 11/15/2016 12:28 PM, Casey Schaufler wrote: I am looking for an SELinux configuration that uses CIPSO. Ideally, it would be based on a readily available distro, but I'm willing to perform semi-heroic acts if I have too. I'm not in a position to develop it myself, nor would that really suit my nefarious purposes. Thank you. >>> Can you clarify what you mean? There is a sample NetLabel configuration >>> in the selinux-testsuite (in tests/inet_socket/netlabel-load) that >>> configures full SELinux labeling over loopback connections, used by the >>> inet_socket tests. And the corresponding SELinux policy rules for those >>> tests can be found in policy/test_inet_socket.te within the testsuite. >> That will probably get me started. I'll have a look at the test >> documentation. I am also looking for a configuration that I can >> use for exploring a "real" CIPSO environment, where two or more >> machines are talking to each other using CIPSO. I think that I >> understand how that is supposed to work, but there's nothing like >> seeing the packets fly. Is there a case for that in the test suite? >> Thank you. > Not in the selinux-testsuite, since it doesn't presently require/expect > you to set up two different systems. Probably the lspp testsuite or > Paul Moore's blog or maybe the SELinux Notebook for samples of that kind > of configuration. Note that in that cross-machine case, CIPSO only > passes an encoding of the MLS label, not the user:role:type information. Yeah, the cross machine MLS only encoding is one of the things that I'm most interested in examining carefully. I can't help but think that that is something that could be somewhat tricky to set up, which is why I'm hoping that there's an example I can look at and play with. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: SELinux system configuration using CIPSO
On 11/15/2016 01:34 PM, Casey Schaufler wrote: > On 11/15/2016 10:14 AM, Stephen Smalley wrote: >> On 11/15/2016 12:28 PM, Casey Schaufler wrote: >>> I am looking for an SELinux configuration that uses CIPSO. >>> Ideally, it would be based on a readily available distro, >>> but I'm willing to perform semi-heroic acts if I have too. >>> I'm not in a position to develop it myself, nor would that >>> really suit my nefarious purposes. Thank you. >> Can you clarify what you mean? There is a sample NetLabel configuration >> in the selinux-testsuite (in tests/inet_socket/netlabel-load) that >> configures full SELinux labeling over loopback connections, used by the >> inet_socket tests. And the corresponding SELinux policy rules for those >> tests can be found in policy/test_inet_socket.te within the testsuite. > > That will probably get me started. I'll have a look at the test > documentation. I am also looking for a configuration that I can > use for exploring a "real" CIPSO environment, where two or more > machines are talking to each other using CIPSO. I think that I > understand how that is supposed to work, but there's nothing like > seeing the packets fly. Is there a case for that in the test suite? > Thank you. Not in the selinux-testsuite, since it doesn't presently require/expect you to set up two different systems. Probably the lspp testsuite or Paul Moore's blog or maybe the SELinux Notebook for samples of that kind of configuration. Note that in that cross-machine case, CIPSO only passes an encoding of the MLS label, not the user:role:type information. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: SELinux system configuration using CIPSO
On 11/15/2016 10:14 AM, Stephen Smalley wrote: > On 11/15/2016 12:28 PM, Casey Schaufler wrote: >> I am looking for an SELinux configuration that uses CIPSO. >> Ideally, it would be based on a readily available distro, >> but I'm willing to perform semi-heroic acts if I have too. >> I'm not in a position to develop it myself, nor would that >> really suit my nefarious purposes. Thank you. > Can you clarify what you mean? There is a sample NetLabel configuration > in the selinux-testsuite (in tests/inet_socket/netlabel-load) that > configures full SELinux labeling over loopback connections, used by the > inet_socket tests. And the corresponding SELinux policy rules for those > tests can be found in policy/test_inet_socket.te within the testsuite. That will probably get me started. I'll have a look at the test documentation. I am also looking for a configuration that I can use for exploring a "real" CIPSO environment, where two or more machines are talking to each other using CIPSO. I think that I understand how that is supposed to work, but there's nothing like seeing the packets fly. Is there a case for that in the test suite? Thank you. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: SELinux system configuration using CIPSO
On 11/15/2016 12:28 PM, Casey Schaufler wrote: > I am looking for an SELinux configuration that uses CIPSO. > Ideally, it would be based on a readily available distro, > but I'm willing to perform semi-heroic acts if I have too. > I'm not in a position to develop it myself, nor would that > really suit my nefarious purposes. Thank you. Can you clarify what you mean? There is a sample NetLabel configuration in the selinux-testsuite (in tests/inet_socket/netlabel-load) that configures full SELinux labeling over loopback connections, used by the inet_socket tests. And the corresponding SELinux policy rules for those tests can be found in policy/test_inet_socket.te within the testsuite. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.