labeled network aware kernel

labeled network aware kernel

[Mark Webb]

I am interested in experimenting with the labeled networking that SE
Linux offers.  I am reading through Josh Brindle's blog

http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/

My question is, how do I know if my kernel is capable of supporting
this?  I am currently running Fedora 10 with all the latest updates
but not sure how to check.

Also if I compile a kernel from source, is there anything that needs
to be done in the configuring of the kernel build to enable the
labeled networking?

Thanks,
Mark

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: labeled network aware kernel

[Xavier Toth]

On Wed, Apr 22, 2009 at 6:26 AM, Mark Webb <elihusmails@gmail.com> wrote:
> I am interested in experimenting with the labeled networking that SE
> Linux offers.  I am reading through Josh Brindle's blog
>
> http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/
>
> My question is, how do I know if my kernel is capable of supporting
> this?  I am currently running Fedora 10 with all the latest updates
> but not sure how to check.
>
> Also if I compile a kernel from source, is there anything that needs
> to be done in the configuring of the kernel build to enable the
> labeled networking?
>
> Thanks,
> Mark
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>

netlabel is in the kernel and you'll need to use netlabeltcl from
netlabel_tools to configure it.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: labeled network aware kernel

[Paul Moore]

On Wednesday 22 April 2009 07:26:45 am Mark Webb wrote:
> I am interested in experimenting with the labeled networking that SE
> Linux offers.  I am reading through Josh Brindle's blog
>
> http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/
>
> My question is, how do I know if my kernel is capable of supporting
> this?  I am currently running Fedora 10 with all the latest updates
> but not sure how to check.

The Fedora kernels are built with all of the labeled networking bits so you 
should be all set from a kernel point of view, but as Xavier/Ted pointed out 
you may need additional userspace packages to configure everything.

> Also if I compile a kernel from source, is there anything that needs
> to be done in the configuring of the kernel build to enable the
> labeled networking?

At this point I have to ask "what kind of labeled networking?"  Labeled 
networking is a fairly generic term with three different mechanisms available 
on Linux: labeled IPsec (likely what you are reading about on Josh's blog), 
Secmark (search James Morris' blog, http://james-morris.livejournal.com), and 
NetLabel (search my blog, http://paulmoore.livejournal.com).

Which are you interested in?  Or perhaps more to the point, what are you 
trying to do?

-- 
paul moore
linux @ hp


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: labeled network aware kernel

[Chad Sellers]

Josh's article talks about IPSec labeled networking (as well as using
SECMARK which provides firewall-level networking controls), as opposed to
Netlabel labeled networking. I played with the IPSec-based stuff in Fedora 9
and everything was there, so I'd imagine it's still there in F10. Just make
sure you install ipsec-tools.

Chad Sellers


On 4/22/09 7:26 AM, "Mark Webb" <elihusmails@gmail.com> wrote:

> I am interested in experimenting with the labeled networking that SE
> Linux offers.  I am reading through Josh Brindle's blog
> 
> http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/
> 
> My question is, how do I know if my kernel is capable of supporting
> this?  I am currently running Fedora 10 with all the latest updates
> but not sure how to check.
> 
> Also if I compile a kernel from source, is there anything that needs
> to be done in the configuring of the kernel build to enable the
> labeled networking?
> 
> Thanks,
> Mark
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: labeled network aware kernel

[Mark Webb]

I am looking at the IPSec-based labeled networking.

BTW.  I will be at the Tresys Advanced Policy course next week.  Is
any of this covered there?

Thanks,

On Wed, Apr 22, 2009 at 6:21 PM, Chad Sellers <csellers@tresys.com> wrote:
> Josh's article talks about IPSec labeled networking (as well as using
> SECMARK which provides firewall-level networking controls), as opposed to
> Netlabel labeled networking. I played with the IPSec-based stuff in Fedora 9
> and everything was there, so I'd imagine it's still there in F10. Just make
> sure you install ipsec-tools.
>
> Chad Sellers
>
>
> On 4/22/09 7:26 AM, "Mark Webb" <elihusmails@gmail.com> wrote:
>
>> I am interested in experimenting with the labeled networking that SE
>> Linux offers.  I am reading through Josh Brindle's blog
>>
>> http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/
>>
>> My question is, how do I know if my kernel is capable of supporting
>> this?  I am currently running Fedora 10 with all the latest updates
>> but not sure how to check.
>>
>> Also if I compile a kernel from source, is there anything that needs
>> to be done in the configuring of the kernel build to enable the
>> labeled networking?
>>
>> Thanks,
>> Mark
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: labeled network aware kernel

[Mark Webb]

Paul,

Thanks for the response.  As of right now, I am just trying to
understand and learn the options available to me.  I am most
interested in the Labeled IPSec.  I would like to study this at both
the kernel level and the network packet level.

--Mark


On Wed, Apr 22, 2009 at 6:16 PM, Paul Moore <paul.moore@hp.com> wrote:
> On Wednesday 22 April 2009 07:26:45 am Mark Webb wrote:
>> I am interested in experimenting with the labeled networking that SE
>> Linux offers.  I am reading through Josh Brindle's blog
>>
>> http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/
>>
>> My question is, how do I know if my kernel is capable of supporting
>> this?  I am currently running Fedora 10 with all the latest updates
>> but not sure how to check.
>
> The Fedora kernels are built with all of the labeled networking bits so you
> should be all set from a kernel point of view, but as Xavier/Ted pointed out
> you may need additional userspace packages to configure everything.
>
>> Also if I compile a kernel from source, is there anything that needs
>> to be done in the configuring of the kernel build to enable the
>> labeled networking?
>
> At this point I have to ask "what kind of labeled networking?"  Labeled
> networking is a fairly generic term with three different mechanisms available
> on Linux: labeled IPsec (likely what you are reading about on Josh's blog),
> Secmark (search James Morris' blog, http://james-morris.livejournal.com), and
> NetLabel (search my blog, http://paulmoore.livejournal.com).
>
> Which are you interested in?  Or perhaps more to the point, what are you
> trying to do?
>
> --
> paul moore
> linux @ hp
>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: labeled network aware kernel

[Paul Moore]

On Wednesday 22 April 2009 11:05:20 pm Mark Webb wrote:
> Paul,
>
> Thanks for the response.  As of right now, I am just trying to
> understand and learn the options available to me.  I am most
> interested in the Labeled IPSec.  I would like to study this at both
> the kernel level and the network packet level.

Okay, fair enough.  Good luck and if you have any questions let us know.

> On Wed, Apr 22, 2009 at 6:16 PM, Paul Moore <paul.moore@hp.com> wrote:
> > On Wednesday 22 April 2009 07:26:45 am Mark Webb wrote:
> >> I am interested in experimenting with the labeled networking that SE
> >> Linux offers.  I am reading through Josh Brindle's blog
> >>
> >> http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinu
> >>x/
> >>
> >> My question is, how do I know if my kernel is capable of supporting
> >> this?  I am currently running Fedora 10 with all the latest updates
> >> but not sure how to check.
> >
> > The Fedora kernels are built with all of the labeled networking bits so
> > you should be all set from a kernel point of view, but as Xavier/Ted
> > pointed out you may need additional userspace packages to configure
> > everything.
> >
> >> Also if I compile a kernel from source, is there anything that needs
> >> to be done in the configuring of the kernel build to enable the
> >> labeled networking?
> >
> > At this point I have to ask "what kind of labeled networking?"  Labeled
> > networking is a fairly generic term with three different mechanisms
> > available on Linux: labeled IPsec (likely what you are reading about on
> > Josh's blog), Secmark (search James Morris' blog,
> > http://james-morris.livejournal.com), and NetLabel (search my blog,
> > http://paulmoore.livejournal.com).
> >
> > Which are you interested in?  Or perhaps more to the point, what are you
> > trying to do?
> >
> > --
> > paul moore
> > linux @ hp

-- 
paul moore
linux @ hp


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: labeled network aware kernel

[Joy Latten]

Hi Mark,

If interested, there are ietf drafts for labeled ipsec,
http://www.ietf.org/internet-drafts/draft-jml-ipsec-ikev1-security-context-00.txt
and
http://www.ietf.org/internet-drafts/draft-jml-ipsec-ikev2-security-context-00.txt.

Also, I'd be happy to help by answering any questions. 

regards,
Joy Latten

On Wed, 2009-04-22 at 23:01 -0400, Mark Webb wrote:
> I am looking at the IPSec-based labeled networking.
> 
> BTW.  I will be at the Tresys Advanced Policy course next week.  Is
> any of this covered there?
> 
> Thanks,
> 
> On Wed, Apr 22, 2009 at 6:21 PM, Chad Sellers <csellers@tresys.com> wrote:
> > Josh's article talks about IPSec labeled networking (as well as using
> > SECMARK which provides firewall-level networking controls), as opposed to
> > Netlabel labeled networking. I played with the IPSec-based stuff in Fedora 9
> > and everything was there, so I'd imagine it's still there in F10. Just make
> > sure you install ipsec-tools.
> >
> > Chad Sellers
> >
> >
> > On 4/22/09 7:26 AM, "Mark Webb" <elihusmails@gmail.com> wrote:
> >
> >> I am interested in experimenting with the labeled networking that SE
> >> Linux offers.  I am reading through Josh Brindle's blog
> >>
> >> http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/
> >>
> >> My question is, how do I know if my kernel is capable of supporting
> >> this?  I am currently running Fedora 10 with all the latest updates
> >> but not sure how to check.
> >>
> >> Also if I compile a kernel from source, is there anything that needs
> >> to be done in the configuring of the kernel build to enable the
> >> labeled networking?
> >>
> >> Thanks,
> >> Mark
> >>
> >> --
> >> This message was distributed to subscribers of the selinux mailing list.
> >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> >> the words "unsubscribe selinux" without quotes as the message.
> >
> >
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: labeled network aware kernel

[Mark Webb]

I am working to get the labelled IPSec working, following Josh
Brindle's blog post
(http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux).
 I just want to get the client and server running on loopback, using a
fully patched Fedora 10 machine.

I have the following keyfile that I pass into setkey:
----------
spdflush;

flush;

spdadd 127.0.0.1 127.0.0.1 any
-ctx 1 1 "system_u:object_r:default_t:s0"
-P in ipsec esp/transport//require;

spdadd 127.0.0.1 127.0.0.1 any
-ctx 1 1 "system_u:object_r:default_t:s0"
-P out ipsec esp/transport//require;
----------

I enter the following commands:

--- Terminal 1 ---
setenforce 0
setkey -f <keyfile>
./server

--- Terminal 2 ---
# ./client 127.0.0.1
getpeercon: Protocol not available
Received: Hello, (null) from (null)

--- Terminal 1 ---
getsockopt: Protocol not available
server: got connection from 127.0.0.1, (null)

Not sure what I am missing.  I have installed ipsec-tools and started
/etc/init.d/racoon.

Any help would be appreciated.

--Mark


On Fri, Apr 24, 2009 at 5:44 PM, Joy Latten <latten@austin.ibm.com> wrote:
> Hi Mark,
>
> If interested, there are ietf drafts for labeled ipsec,
> http://www.ietf.org/internet-drafts/draft-jml-ipsec-ikev1-security-context-00.txt
> and
> http://www.ietf.org/internet-drafts/draft-jml-ipsec-ikev2-security-context-00.txt.
>
> Also, I'd be happy to help by answering any questions.
>
> regards,
> Joy Latten
>
> On Wed, 2009-04-22 at 23:01 -0400, Mark Webb wrote:
>> I am looking at the IPSec-based labeled networking.
>>
>> BTW.  I will be at the Tresys Advanced Policy course next week.  Is
>> any of this covered there?
>>
>> Thanks,
>>
>> On Wed, Apr 22, 2009 at 6:21 PM, Chad Sellers <csellers@tresys.com> wrote:
>> > Josh's article talks about IPSec labeled networking (as well as using
>> > SECMARK which provides firewall-level networking controls), as opposed to
>> > Netlabel labeled networking. I played with the IPSec-based stuff in Fedora 9
>> > and everything was there, so I'd imagine it's still there in F10. Just make
>> > sure you install ipsec-tools.
>> >
>> > Chad Sellers
>> >
>> >
>> > On 4/22/09 7:26 AM, "Mark Webb" <elihusmails@gmail.com> wrote:
>> >
>> >> I am interested in experimenting with the labeled networking that SE
>> >> Linux offers.  I am reading through Josh Brindle's blog
>> >>
>> >> http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/
>> >>
>> >> My question is, how do I know if my kernel is capable of supporting
>> >> this?  I am currently running Fedora 10 with all the latest updates
>> >> but not sure how to check.
>> >>
>> >> Also if I compile a kernel from source, is there anything that needs
>> >> to be done in the configuring of the kernel build to enable the
>> >> labeled networking?
>> >>
>> >> Thanks,
>> >> Mark
>> >>
>> >> --
>> >> This message was distributed to subscribers of the selinux mailing list.
>> >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> >> the words "unsubscribe selinux" without quotes as the message.
>> >
>> >
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: labeled network aware kernel

[Justin P. Mattock]

On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote:
> I am working to get the labelled IPSec working, following Josh
> Brindle's blog post
> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux).
>  I just want to get the client and server running on loopback, using a
> fully patched Fedora 10 machine.
> 
> I have the following keyfile that I pass into setkey:
> ----------
> spdflush;
> 
> flush;
> 
> spdadd 127.0.0.1 127.0.0.1 any
> -ctx 1 1 "system_u:object_r:default_t:s0"
> -P in ipsec esp/transport//require;
> 
> spdadd 127.0.0.1 127.0.0.1 any
> -ctx 1 1 "system_u:object_r:default_t:s0"
> -P out ipsec esp/transport//require;
> ----------
> 
> I enter the following commands:
> 
> --- Terminal 1 ---
> setenforce 0
> setkey -f <keyfile>
> ./server
> 
> --- Terminal 2 ---
> # ./client 127.0.0.1
> getpeercon: Protocol not available
> Received: Hello, (null) from (null)
> 
> --- Terminal 1 ---
> getsockopt: Protocol not available
> server: got connection from 127.0.0.1, (null)
> 
> Not sure what I am missing.  I have installed ipsec-tools and started
> /etc/init.d/racoon.
> 
> Any help would be appreciated.
> 
> --Mark
> 
> 
> On Fri, Apr 24, 2009 at 5:44 PM, Joy Latten <latten@austin.ibm.com> wrote:
> > Hi Mark,
> >
> > If interested, there are ietf drafts for labeled ipsec,
> > http://www.ietf.org/internet-drafts/draft-jml-ipsec-ikev1-security-context-00.txt
> > and
> > http://www.ietf.org/internet-drafts/draft-jml-ipsec-ikev2-security-context-00.txt.
> >
> > Also, I'd be happy to help by answering any questions.
> >
> > regards,
> > Joy Latten
> >
> > On Wed, 2009-04-22 at 23:01 -0400, Mark Webb wrote:
> >> I am looking at the IPSec-based labeled networking.
> >>
> >> BTW.  I will be at the Tresys Advanced Policy course next week.  Is
> >> any of this covered there?
> >>
> >> Thanks,
> >>
> >> On Wed, Apr 22, 2009 at 6:21 PM, Chad Sellers <csellers@tresys.com> wrote:
> >> > Josh's article talks about IPSec labeled networking (as well as using
> >> > SECMARK which provides firewall-level networking controls), as opposed to
> >> > Netlabel labeled networking. I played with the IPSec-based stuff in Fedora 9
> >> > and everything was there, so I'd imagine it's still there in F10. Just make
> >> > sure you install ipsec-tools.
> >> >
> >> > Chad Sellers
> >> >
> >> >
> >> > On 4/22/09 7:26 AM, "Mark Webb" <elihusmails@gmail.com> wrote:
> >> >
> >> >> I am interested in experimenting with the labeled networking that SE
> >> >> Linux offers.  I am reading through Josh Brindle's blog
> >> >>
> >> >> http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/
> >> >>
> >> >> My question is, how do I know if my kernel is capable of supporting
> >> >> this?  I am currently running Fedora 10 with all the latest updates
> >> >> but not sure how to check.
> >> >>
> >> >> Also if I compile a kernel from source, is there anything that needs
> >> >> to be done in the configuring of the kernel build to enable the
> >> >> labeled networking?
> >> >>
> >> >> Thanks,
> >> >> Mark
> >> >>
> >> >> --
> >> >> This message was distributed to subscribers of the selinux mailing list.
> >> >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> >> >> the words "unsubscribe selinux" without quotes as the message.
> >> >
> >> >
> >>
> >>
> >> --
> >> This message was distributed to subscribers of the selinux mailing list.
> >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> >> the words "unsubscribe selinux" without quotes as the message.
> >
> >
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


ipsec is tricky(especially with the keys in
ipsec.conf)
For me I usually
would create(as a test) a machine
as the server running a shoutcast stream
then the client connecting, using etherape
as the eyes to see whats happening.
In you're case I'm not sure about using
one machine as a loop(better than trying to
run AH through NAT)

Justin P. Mattock


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: labeled network aware kernel

[Mark Webb]

That was my guess.  I am using ipsec-tools (racoon) with a completely
stock configuration.  I do not have alot of experience with
ipsec-tools, so I wonder if I am missing something in the
configuration.

Based on responses to this thread, the kernel that I am running with a
fully patched Fedora 10 should be OK.

Thanks again..

On Wed, Apr 29, 2009 at 11:45 PM, Justin P. Mattock
<justinmattock@gmail.com> wrote:
> On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote:
>> I am working to get the labelled IPSec working, following Josh
>> Brindle's blog post
>> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux).
>>  I just want to get the client and server running on loopback, using a
>> fully patched Fedora 10 machine.
>>
>> I have the following keyfile that I pass into setkey:
>> ----------
>> spdflush;
>>
>> flush;
>>
>> spdadd 127.0.0.1 127.0.0.1 any
>> -ctx 1 1 "system_u:object_r:default_t:s0"
>> -P in ipsec esp/transport//require;
>>
>> spdadd 127.0.0.1 127.0.0.1 any
>> -ctx 1 1 "system_u:object_r:default_t:s0"
>> -P out ipsec esp/transport//require;
>> ----------
>>
>> I enter the following commands:
>>
>> --- Terminal 1 ---
>> setenforce 0
>> setkey -f <keyfile>
>> ./server
>>
>> --- Terminal 2 ---
>> # ./client 127.0.0.1
>> getpeercon: Protocol not available
>> Received: Hello, (null) from (null)
>>
>> --- Terminal 1 ---
>> getsockopt: Protocol not available
>> server: got connection from 127.0.0.1, (null)
>>
>> Not sure what I am missing.  I have installed ipsec-tools and started
>> /etc/init.d/racoon.
>>
>> Any help would be appreciated.
>>
>> --Mark
>>
>>
>> On Fri, Apr 24, 2009 at 5:44 PM, Joy Latten <latten@austin.ibm.com> wrote:
>> > Hi Mark,
>> >
>> > If interested, there are ietf drafts for labeled ipsec,
>> > http://www.ietf.org/internet-drafts/draft-jml-ipsec-ikev1-security-context-00.txt
>> > and
>> > http://www.ietf.org/internet-drafts/draft-jml-ipsec-ikev2-security-context-00.txt.
>> >
>> > Also, I'd be happy to help by answering any questions.
>> >
>> > regards,
>> > Joy Latten
>> >
>> > On Wed, 2009-04-22 at 23:01 -0400, Mark Webb wrote:
>> >> I am looking at the IPSec-based labeled networking.
>> >>
>> >> BTW.  I will be at the Tresys Advanced Policy course next week.  Is
>> >> any of this covered there?
>> >>
>> >> Thanks,
>> >>
>> >> On Wed, Apr 22, 2009 at 6:21 PM, Chad Sellers <csellers@tresys.com> wrote:
>> >> > Josh's article talks about IPSec labeled networking (as well as using
>> >> > SECMARK which provides firewall-level networking controls), as opposed to
>> >> > Netlabel labeled networking. I played with the IPSec-based stuff in Fedora 9
>> >> > and everything was there, so I'd imagine it's still there in F10. Just make
>> >> > sure you install ipsec-tools.
>> >> >
>> >> > Chad Sellers
>> >> >
>> >> >
>> >> > On 4/22/09 7:26 AM, "Mark Webb" <elihusmails@gmail.com> wrote:
>> >> >
>> >> >> I am interested in experimenting with the labeled networking that SE
>> >> >> Linux offers.  I am reading through Josh Brindle's blog
>> >> >>
>> >> >> http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/
>> >> >>
>> >> >> My question is, how do I know if my kernel is capable of supporting
>> >> >> this?  I am currently running Fedora 10 with all the latest updates
>> >> >> but not sure how to check.
>> >> >>
>> >> >> Also if I compile a kernel from source, is there anything that needs
>> >> >> to be done in the configuring of the kernel build to enable the
>> >> >> labeled networking?
>> >> >>
>> >> >> Thanks,
>> >> >> Mark
>> >> >>
>> >> >> --
>> >> >> This message was distributed to subscribers of the selinux mailing list.
>> >> >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> >> >> the words "unsubscribe selinux" without quotes as the message.
>> >> >
>> >> >
>> >>
>> >>
>> >> --
>> >> This message was distributed to subscribers of the selinux mailing list.
>> >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> >> the words "unsubscribe selinux" without quotes as the message.
>> >
>> >
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>
>
> ipsec is tricky(especially with the keys in
> ipsec.conf)
> For me I usually
> would create(as a test) a machine
> as the server running a shoutcast stream
> then the client connecting, using etherape
> as the eyes to see whats happening.
> In you're case I'm not sure about using
> one machine as a loop(better than trying to
> run AH through NAT)
>
> Justin P. Mattock
>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: labeled network aware kernel

[Stephen Smalley]

On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote:
> I am working to get the labelled IPSec working, following Josh
> Brindle's blog post
> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux).
>  I just want to get the client and server running on loopback, using a
> fully patched Fedora 10 machine.
> 
> I have the following keyfile that I pass into setkey:
> ----------
> spdflush;
> 
> flush;
> 
> spdadd 127.0.0.1 127.0.0.1 any
> -ctx 1 1 "system_u:object_r:default_t:s0"
> -P in ipsec esp/transport//require;
> 
> spdadd 127.0.0.1 127.0.0.1 any
> -ctx 1 1 "system_u:object_r:default_t:s0"
> -P out ipsec esp/transport//require;
> ----------
> 
> I enter the following commands:
> 
> --- Terminal 1 ---
> setenforce 0
> setkey -f <keyfile>
> ./server
> 
> --- Terminal 2 ---
> # ./client 127.0.0.1
> getpeercon: Protocol not available
> Received: Hello, (null) from (null)
> 
> --- Terminal 1 ---
> getsockopt: Protocol not available
> server: got connection from 127.0.0.1, (null)
> 
> Not sure what I am missing.  I have installed ipsec-tools and started
> /etc/init.d/racoon.
> 
> Any help would be appreciated.

IPSEC and loopback don't generally get along very well.  Try:
echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy
echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm

Might want to also read through an old bug report on this issue,
https://bugzilla.redhat.com/show_bug.cgi?id=218386

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: labeled network aware kernel

[Justin Mattock]

On Thu, Apr 30, 2009 at 5:01 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote:
>> I am working to get the labelled IPSec working, following Josh
>> Brindle's blog post
>> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux).
>>  I just want to get the client and server running on loopback, using a
>> fully patched Fedora 10 machine.
>>
>> I have the following keyfile that I pass into setkey:
>> ----------
>> spdflush;
>>
>> flush;
>>
>> spdadd 127.0.0.1 127.0.0.1 any
>> -ctx 1 1 "system_u:object_r:default_t:s0"
>> -P in ipsec esp/transport//require;
>>
>> spdadd 127.0.0.1 127.0.0.1 any
>> -ctx 1 1 "system_u:object_r:default_t:s0"
>> -P out ipsec esp/transport//require;
>> ----------
>>
>> I enter the following commands:
>>
>> --- Terminal 1 ---
>> setenforce 0
>> setkey -f <keyfile>
>> ./server
>>
>> --- Terminal 2 ---
>> # ./client 127.0.0.1
>> getpeercon: Protocol not available
>> Received: Hello, (null) from (null)
>>
>> --- Terminal 1 ---
>> getsockopt: Protocol not available
>> server: got connection from 127.0.0.1, (null)
>>
>> Not sure what I am missing.  I have installed ipsec-tools and started
>> /etc/init.d/racoon.
>>
>> Any help would be appreciated.
>
> IPSEC and loopback don't generally get along very well.  Try:
> echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy
> echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm
>
> Might want to also read through an old bug report on this issue,
> https://bugzilla.redhat.com/show_bug.cgi?id=218386
>
> --
> Stephen Smalley
> National Security Agency
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>

>From what I remember, I just used(ipsec-tools)
/etc/ipsec.conf to deal with the
key exchange, and handling of
AH and ESP encapsulation(racoon is another approach)

main area is setting up the keys so the two
machines can exchange.
google around to find an already configured
ipsec.conf(saves you the energy of going crazy with
a long line of numbers) this way you just need to set
the ip's.

At the moment I've been trying to get ekiga to
work with ipsec(if I can get the dang thing to compiled
right).


-- 
Justin P. Mattock


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: labeled network aware kernel

[Mark Webb]

racoon comes with ipsec-tools, and there is not much documentation to
go on.  Still working through it though..


On Thu, Apr 30, 2009 at 1:42 PM, Justin Mattock <justinmattock@gmail.com> wrote:
> On Thu, Apr 30, 2009 at 5:01 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote:
>>> I am working to get the labelled IPSec working, following Josh
>>> Brindle's blog post
>>> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux).
>>>  I just want to get the client and server running on loopback, using a
>>> fully patched Fedora 10 machine.
>>>
>>> I have the following keyfile that I pass into setkey:
>>> ----------
>>> spdflush;
>>>
>>> flush;
>>>
>>> spdadd 127.0.0.1 127.0.0.1 any
>>> -ctx 1 1 "system_u:object_r:default_t:s0"
>>> -P in ipsec esp/transport//require;
>>>
>>> spdadd 127.0.0.1 127.0.0.1 any
>>> -ctx 1 1 "system_u:object_r:default_t:s0"
>>> -P out ipsec esp/transport//require;
>>> ----------
>>>
>>> I enter the following commands:
>>>
>>> --- Terminal 1 ---
>>> setenforce 0
>>> setkey -f <keyfile>
>>> ./server
>>>
>>> --- Terminal 2 ---
>>> # ./client 127.0.0.1
>>> getpeercon: Protocol not available
>>> Received: Hello, (null) from (null)
>>>
>>> --- Terminal 1 ---
>>> getsockopt: Protocol not available
>>> server: got connection from 127.0.0.1, (null)
>>>
>>> Not sure what I am missing.  I have installed ipsec-tools and started
>>> /etc/init.d/racoon.
>>>
>>> Any help would be appreciated.
>>
>> IPSEC and loopback don't generally get along very well.  Try:
>> echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy
>> echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm
>>
>> Might want to also read through an old bug report on this issue,
>> https://bugzilla.redhat.com/show_bug.cgi?id=218386
>>
>> --
>> Stephen Smalley
>> National Security Agency
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>>
>
> From what I remember, I just used(ipsec-tools)
> /etc/ipsec.conf to deal with the
> key exchange, and handling of
> AH and ESP encapsulation(racoon is another approach)
>
> main area is setting up the keys so the two
> machines can exchange.
> google around to find an already configured
> ipsec.conf(saves you the energy of going crazy with
> a long line of numbers) this way you just need to set
> the ip's.
>
> At the moment I've been trying to get ekiga to
> work with ipsec(if I can get the dang thing to compiled
> right).
>
>
> --
> Justin P. Mattock
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: labeled network aware kernel

[Mark Webb]

Thanks for the help.  I am going to get another machine set up so that
I am not using loopback any more.

After tinkering with things a bit, I found that running the command:

echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm

gets things working.  The other command seemed to disable loopback
communication.



On Thu, Apr 30, 2009 at 8:01 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote:
>> I am working to get the labelled IPSec working, following Josh
>> Brindle's blog post
>> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux).
>>  I just want to get the client and server running on loopback, using a
>> fully patched Fedora 10 machine.
>>
>> I have the following keyfile that I pass into setkey:
>> ----------
>> spdflush;
>>
>> flush;
>>
>> spdadd 127.0.0.1 127.0.0.1 any
>> -ctx 1 1 "system_u:object_r:default_t:s0"
>> -P in ipsec esp/transport//require;
>>
>> spdadd 127.0.0.1 127.0.0.1 any
>> -ctx 1 1 "system_u:object_r:default_t:s0"
>> -P out ipsec esp/transport//require;
>> ----------
>>
>> I enter the following commands:
>>
>> --- Terminal 1 ---
>> setenforce 0
>> setkey -f <keyfile>
>> ./server
>>
>> --- Terminal 2 ---
>> # ./client 127.0.0.1
>> getpeercon: Protocol not available
>> Received: Hello, (null) from (null)
>>
>> --- Terminal 1 ---
>> getsockopt: Protocol not available
>> server: got connection from 127.0.0.1, (null)
>>
>> Not sure what I am missing.  I have installed ipsec-tools and started
>> /etc/init.d/racoon.
>>
>> Any help would be appreciated.
>
> IPSEC and loopback don't generally get along very well.  Try:
> echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy
> echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm
>
> Might want to also read through an old bug report on this issue,
> https://bugzilla.redhat.com/show_bug.cgi?id=218386
>
> --
> Stephen Smalley
> National Security Agency
>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: labeled network aware kernel

[Justin Mattock]

On Thu, Apr 30, 2009 at 8:39 PM, Mark Webb <elihusmails@gmail.com> wrote:
> racoon comes with ipsec-tools, and there is not much documentation to
> go on.  Still working through it though..
>
>
> On Thu, Apr 30, 2009 at 1:42 PM, Justin Mattock <justinmattock@gmail.com> wrote:
>> On Thu, Apr 30, 2009 at 5:01 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>> On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote:
>>>> I am working to get the labelled IPSec working, following Josh
>>>> Brindle's blog post
>>>> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux).
>>>>  I just want to get the client and server running on loopback, using a
>>>> fully patched Fedora 10 machine.
>>>>
>>>> I have the following keyfile that I pass into setkey:
>>>> ----------
>>>> spdflush;
>>>>
>>>> flush;
>>>>
>>>> spdadd 127.0.0.1 127.0.0.1 any
>>>> -ctx 1 1 "system_u:object_r:default_t:s0"
>>>> -P in ipsec esp/transport//require;
>>>>
>>>> spdadd 127.0.0.1 127.0.0.1 any
>>>> -ctx 1 1 "system_u:object_r:default_t:s0"
>>>> -P out ipsec esp/transport//require;
>>>> ----------
>>>>
>>>> I enter the following commands:
>>>>
>>>> --- Terminal 1 ---
>>>> setenforce 0
>>>> setkey -f <keyfile>
>>>> ./server
>>>>
>>>> --- Terminal 2 ---
>>>> # ./client 127.0.0.1
>>>> getpeercon: Protocol not available
>>>> Received: Hello, (null) from (null)
>>>>
>>>> --- Terminal 1 ---
>>>> getsockopt: Protocol not available
>>>> server: got connection from 127.0.0.1, (null)
>>>>
>>>> Not sure what I am missing.  I have installed ipsec-tools and started
>>>> /etc/init.d/racoon.
>>>>
>>>> Any help would be appreciated.
>>>
>>> IPSEC and loopback don't generally get along very well.  Try:
>>> echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy
>>> echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm
>>>
>>> Might want to also read through an old bug report on this issue,
>>> https://bugzilla.redhat.com/show_bug.cgi?id=218386
>>>
>>> --
>>> Stephen Smalley
>>> National Security Agency
>>>
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>>> the words "unsubscribe selinux" without quotes as the message.
>>>
>>
>> From what I remember, I just used(ipsec-tools)
>> /etc/ipsec.conf to deal with the
>> key exchange, and handling of
>> AH and ESP encapsulation(racoon is another approach)
>>
>> main area is setting up the keys so the two
>> machines can exchange.
>> google around to find an already configured
>> ipsec.conf(saves you the energy of going crazy with
>> a long line of numbers) this way you just need to set
>> the ip's.
>>
>> At the moment I've been trying to get ekiga to
>> work with ipsec(if I can get the dang thing to compiled
>> right).
>>
>>
>> --
>> Justin P. Mattock
>>
>

yep,
but I think it provides other
ways for key exchanges,
here is what I am using:
http://www.linuxfromscratch.org/hints/downloads/files/ipsec.txt
I used this configuration about a year ago,
worked like a charm!!

-- 
Justin P. Mattock


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.