* MLS telnet question
@ 2010-04-09 12:02 Benedict, Phillip M
2010-04-13 15:21 ` Daniel J Walsh
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Benedict, Phillip M @ 2010-04-09 12:02 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 1068 bytes --]
Hello,
I am trying to come to a solution regarding the use of telnet on our MLS system. ( I know, ... the decision to use it was made above me ) . :(
What we have is a RHEL 5.3 system with the RedHat MLS policy installed.
The system has multiple physical NICs attached to different networks.
Each network is designated for it's own sensitivity level. ( so we might have one network for s1:c20, one for s2:c40 etc...)
User accounts are created with sensitivity labeling via semange. ( so we might have: user1 with s1:c20, and user2 with s2:c40 etc... )
The network does not carry any cipso data for evaluation by my server, so I don't think I can use netlabel.
Questions:
If I use IPTables/SECMARK to apply sensitivity labels to the packets as they come into the system, will xinetd spawn the telnet session with a matching sensitivity? ( currently the telnet sessions are spawned at SystemLow-SystemHigh )
If telnet is spawned with the appropriate sensitivity, will SELinux disallow a users login who do not have a matching sensitivity?
Thanks,
Mike Benedict
[-- Attachment #2: Type: text/html, Size: 3552 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: MLS telnet question
2010-04-09 12:02 MLS telnet question Benedict, Phillip M
@ 2010-04-13 15:21 ` Daniel J Walsh
2010-04-13 16:18 ` Stephen Smalley
2010-04-13 16:42 ` Michal Svoboda
2 siblings, 0 replies; 10+ messages in thread
From: Daniel J Walsh @ 2010-04-13 15:21 UTC (permalink / raw)
To: Benedict, Phillip M; +Cc: selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/09/2010 08:02 AM, Benedict, Phillip M wrote:
>
> Hello,
>
> I am trying to come to a solution regarding the use of telnet on our MLS system. ( I know, ... the decision to use it was made above me ) . :(
>
> What we have is a RHEL 5.3 system with the RedHat MLS policy installed.
> The system has multiple physical NICs attached to different networks.
> Each network is designated for it's own sensitivity level. ( so we might have one network for s1:c20, one for s2:c40 etc...)
> User accounts are created with sensitivity labeling via semange. ( so we might have: user1 with s1:c20, and user2 with s2:c40 etc... )
> The network does not carry any cipso data for evaluation by my server, so I don't think I can use netlabel.
>
> Questions:
> If I use IPTables/SECMARK to apply sensitivity labels to the packets as they come into the system, will xinetd spawn the telnet session with a matching sensitivity? ( currently the telnet sessions are spawned at SystemLow-SystemHigh )
I believe it should, and you should report a bug if it does not.
> If telnet is spawned with the appropriate sensitivity, will SELinux disallow a users login who do not have a matching sensitivity?
>
Yes.
>
> Thanks,
> Mike Benedict
>
>
I
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvEi/IACgkQrlYvE4MpobPGuACbBVy4vjbEYk9eUZhsDc3ek0X9
X1MAn1bT6PppPbFq8C15UVxp53+MElrz
=U9Q2
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: MLS telnet question
2010-04-09 12:02 MLS telnet question Benedict, Phillip M
2010-04-13 15:21 ` Daniel J Walsh
@ 2010-04-13 16:18 ` Stephen Smalley
2010-04-13 16:42 ` Michal Svoboda
2 siblings, 0 replies; 10+ messages in thread
From: Stephen Smalley @ 2010-04-13 16:18 UTC (permalink / raw)
To: Benedict, Phillip M; +Cc: selinux, Daniel J Walsh
On Fri, 2010-04-09 at 08:02 -0400, Benedict, Phillip M wrote:
>
>
> Hello,
>
>
>
> I am trying to come to a solution regarding the use of telnet on our
> MLS system. ( I know, … the decision to use it was made above me ) . L
>
>
>
> What we have is a RHEL 5.3 system with the RedHat MLS policy
> installed.
>
> The system has multiple physical NICs attached to different networks.
>
> Each network is designated for it’s own sensitivity level. ( so we
> might have one network for s1:c20, one for s2:c40 etc…)
>
> User accounts are created with sensitivity labeling via semange. ( so
> we might have: user1 with s1:c20, and user2 with s2:c40 etc… )
>
> The network does not carry any cipso data for evaluation by my server,
> so I don’t think I can use netlabel.
>
>
>
> Questions:
>
> If I use IPTables/SECMARK to apply sensitivity labels to the packets
> as they come into the system, will xinetd spawn the telnet session
> with a matching sensitivity? ( currently the telnet sessions are
> spawned at SystemLow-SystemHigh )
No. iptables/secmark labels are only used for access control checks;
they are not "peer contexts" unlike NetLabel or labeled IPSEC.
xinetd.conf does have a LABELED flag that can be used to cause a tcp
non-waiting service to be created in the same context as the connecting
client, but that will only work if using a labeled networking mechanism
like NetLabel or labeled IPSEC.
> If telnet is spawned with the appropriate sensitivity, will SELinux
> disallow a users login who do not have a matching sensitivity?
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: MLS telnet question
2010-04-09 12:02 MLS telnet question Benedict, Phillip M
2010-04-13 15:21 ` Daniel J Walsh
2010-04-13 16:18 ` Stephen Smalley
@ 2010-04-13 16:42 ` Michal Svoboda
2010-04-13 21:54 ` Paul Moore
2 siblings, 1 reply; 10+ messages in thread
From: Michal Svoboda @ 2010-04-13 16:42 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 260 bytes --]
Benedict, Phillip M wrote:
> The network does not carry any cipso data for evaluation by my
> server, so I don’t think I can use netlabel.
You can use the fallback label feature that can assign labels statically
per remote IP.
Michal Svoboda
[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: MLS telnet question
2010-04-13 16:42 ` Michal Svoboda
@ 2010-04-13 21:54 ` Paul Moore
2010-04-14 12:23 ` Benedict, Phillip M
0 siblings, 1 reply; 10+ messages in thread
From: Paul Moore @ 2010-04-13 21:54 UTC (permalink / raw)
To: Benedict, Phillip M; +Cc: Michal Svoboda, selinux
On Tuesday 13 April 2010 12:42:36 pm Michal Svoboda wrote:
> Benedict, Phillip M wrote:
> > The network does not carry any cipso data for evaluation by my
> > server, so I don’t think I can use netlabel.
>
> You can use the fallback label feature that can assign labels statically
> per remote IP.
NetLabel fallback/static label example configuration:
* http://paulmoore.livejournal.com/1758.html
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* RE: MLS telnet question
2010-04-13 21:54 ` Paul Moore
@ 2010-04-14 12:23 ` Benedict, Phillip M
2010-04-14 13:04 ` Michal Svoboda
2010-04-14 14:30 ` Paul Moore
0 siblings, 2 replies; 10+ messages in thread
From: Benedict, Phillip M @ 2010-04-14 12:23 UTC (permalink / raw)
To: Paul Moore; +Cc: Michal Svoboda, selinux
Thanks, I will take another look at Netlabel's fallback/static labeling.
So how can I verify if my kernel (the default RHEL 5.3 kernel 2.6.128) has Netlabel support?
Also I currently have separate ssh daemons running at certain sensitivities (runcon) and bound to specific IP addresses (separate sshd_config files). Will fallback labeling impact my ssh setup?
Thanks
Mike
-----Original Message-----
From: Paul Moore [mailto:paul.moore@hp.com]
Sent: Tuesday, April 13, 2010 5:55 PM
To: Benedict, Phillip M
Cc: Michal Svoboda; selinux@tycho.nsa.gov
Subject: Re: MLS telnet question
On Tuesday 13 April 2010 12:42:36 pm Michal Svoboda wrote:
> Benedict, Phillip M wrote:
> > The network does not carry any cipso data for evaluation by my
> > server, so I don’t think I can use netlabel.
>
> You can use the fallback label feature that can assign labels
> statically per remote IP.
NetLabel fallback/static label example configuration:
* http://paulmoore.livejournal.com/1758.html
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: MLS telnet question
2010-04-14 12:23 ` Benedict, Phillip M
@ 2010-04-14 13:04 ` Michal Svoboda
2010-04-14 14:30 ` Paul Moore
1 sibling, 0 replies; 10+ messages in thread
From: Michal Svoboda @ 2010-04-14 13:04 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 332 bytes --]
Benedict, Phillip M wrote:
> Also I currently have separate ssh daemons running at certain
> sensitivities (runcon) and bound to specific IP addresses (separate
> sshd_config files). Will fallback labeling impact my ssh setup?
I would say that each sshd will be only able to communicate with equally
labeled peers.
Michal Svoboda
[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: MLS telnet question
2010-04-14 12:23 ` Benedict, Phillip M
2010-04-14 13:04 ` Michal Svoboda
@ 2010-04-14 14:30 ` Paul Moore
2010-04-14 17:34 ` Benedict, Phillip M
1 sibling, 1 reply; 10+ messages in thread
From: Paul Moore @ 2010-04-14 14:30 UTC (permalink / raw)
To: Benedict, Phillip M; +Cc: Michal Svoboda, selinux
On Wednesday 14 April 2010 08:23:02 am Benedict, Phillip M wrote:
> Thanks, I will take another look at Netlabel's fallback/static labeling.
> So how can I verify if my kernel (the default RHEL 5.3 kernel 2.6.128) has
> Netlabel support?
While the RHEL5.x kernels have NetLabel support, it is very basic as it
predates most of the labeled networking improvements that have been made in
the past years. Unfortunately, this means that the fallback/static peer label
feature is not part of RHEL5.
> Also I currently have separate ssh daemons running at
> certain sensitivities (runcon) and bound to specific IP addresses
> (separate sshd_config files). Will fallback labeling impact my ssh setup?
You'll need to be more specific about what you mean by "impact".
Will NetLabel affect how you bind the multiple SSH daemons? No. Will
NetLabel affect how the SSH daemons are labeled? No. Will NetLabel allow you
to assign peer labels to incoming SSH traffic? Yes. Will this mean I'll need
to change my SELinux policy to add the necessary controls? It depends.
> -----Original Message-----
> From: Paul Moore [mailto:paul.moore@hp.com]
> Sent: Tuesday, April 13, 2010 5:55 PM
> To: Benedict, Phillip M
> Cc: Michal Svoboda; selinux@tycho.nsa.gov
> Subject: Re: MLS telnet question
>
> On Tuesday 13 April 2010 12:42:36 pm Michal Svoboda wrote:
> > Benedict, Phillip M wrote:
> > > The network does not carry any cipso data for evaluation by my
> > > server, so I don’t think I can use netlabel.
> >
> > You can use the fallback label feature that can assign labels
> > statically per remote IP.
>
> NetLabel fallback/static label example configuration:
>
> * http://paulmoore.livejournal.com/1758.html
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* RE: MLS telnet question
2010-04-14 14:30 ` Paul Moore
@ 2010-04-14 17:34 ` Benedict, Phillip M
2010-04-14 18:33 ` Paul Moore
0 siblings, 1 reply; 10+ messages in thread
From: Benedict, Phillip M @ 2010-04-14 17:34 UTC (permalink / raw)
To: Paul Moore; +Cc: Michal Svoboda, selinux
Thanks,
So one more question if you please...
I seem to recall reading something to the effect of Labeled IPSEC only working between two or more Linux/SELinux systems.
Can Labeled IPSEC be configured to apply static labels to incoming packets?
Thanks,
Mike Benedict
-----Original Message-----
From: Paul Moore [mailto:paul.moore@hp.com]
Sent: Wednesday, April 14, 2010 10:31 AM
To: Benedict, Phillip M
Cc: Michal Svoboda; selinux@tycho.nsa.gov
Subject: Re: MLS telnet question
On Wednesday 14 April 2010 08:23:02 am Benedict, Phillip M wrote:
> Thanks, I will take another look at Netlabel's fallback/static labeling.
> So how can I verify if my kernel (the default RHEL 5.3 kernel 2.6.128)
> has Netlabel support?
While the RHEL5.x kernels have NetLabel support, it is very basic as it predates most of the labeled networking improvements that have been made in the past years. Unfortunately, this means that the fallback/static peer label feature is not part of RHEL5.
> Also I currently have separate ssh daemons running at certain
> sensitivities (runcon) and bound to specific IP addresses (separate
> sshd_config files). Will fallback labeling impact my ssh setup?
You'll need to be more specific about what you mean by "impact".
Will NetLabel affect how you bind the multiple SSH daemons? No. Will NetLabel affect how the SSH daemons are labeled? No. Will NetLabel allow you to assign peer labels to incoming SSH traffic? Yes. Will this mean I'll need to change my SELinux policy to add the necessary controls? It depends.
> -----Original Message-----
> From: Paul Moore [mailto:paul.moore@hp.com]
> Sent: Tuesday, April 13, 2010 5:55 PM
> To: Benedict, Phillip M
> Cc: Michal Svoboda; selinux@tycho.nsa.gov
> Subject: Re: MLS telnet question
>
> On Tuesday 13 April 2010 12:42:36 pm Michal Svoboda wrote:
> > Benedict, Phillip M wrote:
> > > The network does not carry any cipso data for evaluation by my
> > > server, so I don’t think I can use netlabel.
> >
> > You can use the fallback label feature that can assign labels
> > statically per remote IP.
>
> NetLabel fallback/static label example configuration:
>
> * http://paulmoore.livejournal.com/1758.html
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: MLS telnet question
2010-04-14 17:34 ` Benedict, Phillip M
@ 2010-04-14 18:33 ` Paul Moore
0 siblings, 0 replies; 10+ messages in thread
From: Paul Moore @ 2010-04-14 18:33 UTC (permalink / raw)
To: Benedict, Phillip M; +Cc: Michal Svoboda, selinux
On Wednesday 14 April 2010 01:34:11 pm Benedict, Phillip M wrote:
> Thanks,
>
> So one more question if you please...
> I seem to recall reading something to the effect of Labeled IPSEC only
> working between two or more Linux/SELinux systems.
Yes, labeled IPsec only works between two SELinux systems running the same, or
very similar policies.
> Can Labeled IPSEC be configured to apply static labels to incoming
> packets?
No.
> -----Original Message-----
> From: Paul Moore [mailto:paul.moore@hp.com]
> Sent: Wednesday, April 14, 2010 10:31 AM
> To: Benedict, Phillip M
> Cc: Michal Svoboda; selinux@tycho.nsa.gov
> Subject: Re: MLS telnet question
>
> On Wednesday 14 April 2010 08:23:02 am Benedict, Phillip M wrote:
> > Thanks, I will take another look at Netlabel's fallback/static labeling.
> > So how can I verify if my kernel (the default RHEL 5.3 kernel 2.6.128)
> > has Netlabel support?
>
> While the RHEL5.x kernels have NetLabel support, it is very basic as it
> predates most of the labeled networking improvements that have been made
> in the past years. Unfortunately, this means that the fallback/static
> peer label feature is not part of RHEL5.
>
> > Also I currently have separate ssh daemons running at certain
> > sensitivities (runcon) and bound to specific IP addresses (separate
> > sshd_config files). Will fallback labeling impact my ssh setup?
>
> You'll need to be more specific about what you mean by "impact".
>
> Will NetLabel affect how you bind the multiple SSH daemons? No. Will
> NetLabel affect how the SSH daemons are labeled? No. Will NetLabel allow
> you to assign peer labels to incoming SSH traffic? Yes. Will this mean
> I'll need to change my SELinux policy to add the necessary controls? It
> depends.
>
> > -----Original Message-----
> > From: Paul Moore [mailto:paul.moore@hp.com]
> > Sent: Tuesday, April 13, 2010 5:55 PM
> > To: Benedict, Phillip M
> > Cc: Michal Svoboda; selinux@tycho.nsa.gov
> > Subject: Re: MLS telnet question
> >
> > On Tuesday 13 April 2010 12:42:36 pm Michal Svoboda wrote:
> > > Benedict, Phillip M wrote:
> > > > The network does not carry any cipso data for evaluation by my
> > > > server, so I don’t think I can use netlabel.
> > >
> > > You can use the fallback label feature that can assign labels
> > > statically per remote IP.
> >
> > NetLabel fallback/static label example configuration:
> > * http://paulmoore.livejournal.com/1758.html
>
> --
> paul moore
> linux @ hp
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2010-04-14 18:33 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-04-09 12:02 MLS telnet question Benedict, Phillip M
2010-04-13 15:21 ` Daniel J Walsh
2010-04-13 16:18 ` Stephen Smalley
2010-04-13 16:42 ` Michal Svoboda
2010-04-13 21:54 ` Paul Moore
2010-04-14 12:23 ` Benedict, Phillip M
2010-04-14 13:04 ` Michal Svoboda
2010-04-14 14:30 ` Paul Moore
2010-04-14 17:34 ` Benedict, Phillip M
2010-04-14 18:33 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.