* labeled network aware kernel @ 2009-04-22 11:26 Mark Webb 2009-04-22 15:41 ` Xavier Toth ` (2 more replies) 0 siblings, 3 replies; 16+ messages in thread From: Mark Webb @ 2009-04-22 11:26 UTC (permalink / raw) To: selinux I am interested in experimenting with the labeled networking that SE Linux offers. I am reading through Josh Brindle's blog http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/ My question is, how do I know if my kernel is capable of supporting this? I am currently running Fedora 10 with all the latest updates but not sure how to check. Also if I compile a kernel from source, is there anything that needs to be done in the configuring of the kernel build to enable the labeled networking? Thanks, Mark -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: labeled network aware kernel 2009-04-22 11:26 labeled network aware kernel Mark Webb @ 2009-04-22 15:41 ` Xavier Toth 2009-04-22 22:16 ` Paul Moore 2009-04-22 22:21 ` Chad Sellers 2 siblings, 0 replies; 16+ messages in thread From: Xavier Toth @ 2009-04-22 15:41 UTC (permalink / raw) To: Mark Webb; +Cc: selinux On Wed, Apr 22, 2009 at 6:26 AM, Mark Webb <elihusmails@gmail.com> wrote: > I am interested in experimenting with the labeled networking that SE > Linux offers. I am reading through Josh Brindle's blog > > http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/ > > My question is, how do I know if my kernel is capable of supporting > this? I am currently running Fedora 10 with all the latest updates > but not sure how to check. > > Also if I compile a kernel from source, is there anything that needs > to be done in the configuring of the kernel build to enable the > labeled networking? > > Thanks, > Mark > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. > netlabel is in the kernel and you'll need to use netlabeltcl from netlabel_tools to configure it. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: labeled network aware kernel 2009-04-22 11:26 labeled network aware kernel Mark Webb 2009-04-22 15:41 ` Xavier Toth @ 2009-04-22 22:16 ` Paul Moore 2009-04-23 3:05 ` Mark Webb 2009-04-22 22:21 ` Chad Sellers 2 siblings, 1 reply; 16+ messages in thread From: Paul Moore @ 2009-04-22 22:16 UTC (permalink / raw) To: Mark Webb; +Cc: selinux On Wednesday 22 April 2009 07:26:45 am Mark Webb wrote: > I am interested in experimenting with the labeled networking that SE > Linux offers. I am reading through Josh Brindle's blog > > http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/ > > My question is, how do I know if my kernel is capable of supporting > this? I am currently running Fedora 10 with all the latest updates > but not sure how to check. The Fedora kernels are built with all of the labeled networking bits so you should be all set from a kernel point of view, but as Xavier/Ted pointed out you may need additional userspace packages to configure everything. > Also if I compile a kernel from source, is there anything that needs > to be done in the configuring of the kernel build to enable the > labeled networking? At this point I have to ask "what kind of labeled networking?" Labeled networking is a fairly generic term with three different mechanisms available on Linux: labeled IPsec (likely what you are reading about on Josh's blog), Secmark (search James Morris' blog, http://james-morris.livejournal.com), and NetLabel (search my blog, http://paulmoore.livejournal.com). Which are you interested in? Or perhaps more to the point, what are you trying to do? -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: labeled network aware kernel 2009-04-22 22:16 ` Paul Moore @ 2009-04-23 3:05 ` Mark Webb 2009-04-23 16:33 ` Paul Moore 0 siblings, 1 reply; 16+ messages in thread From: Mark Webb @ 2009-04-23 3:05 UTC (permalink / raw) To: Paul Moore; +Cc: selinux Paul, Thanks for the response. As of right now, I am just trying to understand and learn the options available to me. I am most interested in the Labeled IPSec. I would like to study this at both the kernel level and the network packet level. --Mark On Wed, Apr 22, 2009 at 6:16 PM, Paul Moore <paul.moore@hp.com> wrote: > On Wednesday 22 April 2009 07:26:45 am Mark Webb wrote: >> I am interested in experimenting with the labeled networking that SE >> Linux offers. I am reading through Josh Brindle's blog >> >> http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/ >> >> My question is, how do I know if my kernel is capable of supporting >> this? I am currently running Fedora 10 with all the latest updates >> but not sure how to check. > > The Fedora kernels are built with all of the labeled networking bits so you > should be all set from a kernel point of view, but as Xavier/Ted pointed out > you may need additional userspace packages to configure everything. > >> Also if I compile a kernel from source, is there anything that needs >> to be done in the configuring of the kernel build to enable the >> labeled networking? > > At this point I have to ask "what kind of labeled networking?" Labeled > networking is a fairly generic term with three different mechanisms available > on Linux: labeled IPsec (likely what you are reading about on Josh's blog), > Secmark (search James Morris' blog, http://james-morris.livejournal.com), and > NetLabel (search my blog, http://paulmoore.livejournal.com). > > Which are you interested in? Or perhaps more to the point, what are you > trying to do? > > -- > paul moore > linux @ hp > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: labeled network aware kernel 2009-04-23 3:05 ` Mark Webb @ 2009-04-23 16:33 ` Paul Moore 0 siblings, 0 replies; 16+ messages in thread From: Paul Moore @ 2009-04-23 16:33 UTC (permalink / raw) To: Mark Webb; +Cc: selinux On Wednesday 22 April 2009 11:05:20 pm Mark Webb wrote: > Paul, > > Thanks for the response. As of right now, I am just trying to > understand and learn the options available to me. I am most > interested in the Labeled IPSec. I would like to study this at both > the kernel level and the network packet level. Okay, fair enough. Good luck and if you have any questions let us know. > On Wed, Apr 22, 2009 at 6:16 PM, Paul Moore <paul.moore@hp.com> wrote: > > On Wednesday 22 April 2009 07:26:45 am Mark Webb wrote: > >> I am interested in experimenting with the labeled networking that SE > >> Linux offers. I am reading through Josh Brindle's blog > >> > >> http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinu > >>x/ > >> > >> My question is, how do I know if my kernel is capable of supporting > >> this? I am currently running Fedora 10 with all the latest updates > >> but not sure how to check. > > > > The Fedora kernels are built with all of the labeled networking bits so > > you should be all set from a kernel point of view, but as Xavier/Ted > > pointed out you may need additional userspace packages to configure > > everything. > > > >> Also if I compile a kernel from source, is there anything that needs > >> to be done in the configuring of the kernel build to enable the > >> labeled networking? > > > > At this point I have to ask "what kind of labeled networking?" Labeled > > networking is a fairly generic term with three different mechanisms > > available on Linux: labeled IPsec (likely what you are reading about on > > Josh's blog), Secmark (search James Morris' blog, > > http://james-morris.livejournal.com), and NetLabel (search my blog, > > http://paulmoore.livejournal.com). > > > > Which are you interested in? Or perhaps more to the point, what are you > > trying to do? > > > > -- > > paul moore > > linux @ hp -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: labeled network aware kernel 2009-04-22 11:26 labeled network aware kernel Mark Webb 2009-04-22 15:41 ` Xavier Toth 2009-04-22 22:16 ` Paul Moore @ 2009-04-22 22:21 ` Chad Sellers 2009-04-23 3:01 ` Mark Webb 2 siblings, 1 reply; 16+ messages in thread From: Chad Sellers @ 2009-04-22 22:21 UTC (permalink / raw) To: Mark Webb, selinux Josh's article talks about IPSec labeled networking (as well as using SECMARK which provides firewall-level networking controls), as opposed to Netlabel labeled networking. I played with the IPSec-based stuff in Fedora 9 and everything was there, so I'd imagine it's still there in F10. Just make sure you install ipsec-tools. Chad Sellers On 4/22/09 7:26 AM, "Mark Webb" <elihusmails@gmail.com> wrote: > I am interested in experimenting with the labeled networking that SE > Linux offers. I am reading through Josh Brindle's blog > > http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/ > > My question is, how do I know if my kernel is capable of supporting > this? I am currently running Fedora 10 with all the latest updates > but not sure how to check. > > Also if I compile a kernel from source, is there anything that needs > to be done in the configuring of the kernel build to enable the > labeled networking? > > Thanks, > Mark > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: labeled network aware kernel 2009-04-22 22:21 ` Chad Sellers @ 2009-04-23 3:01 ` Mark Webb 2009-04-24 21:44 ` Joy Latten 0 siblings, 1 reply; 16+ messages in thread From: Mark Webb @ 2009-04-23 3:01 UTC (permalink / raw) To: Chad Sellers; +Cc: selinux I am looking at the IPSec-based labeled networking. BTW. I will be at the Tresys Advanced Policy course next week. Is any of this covered there? Thanks, On Wed, Apr 22, 2009 at 6:21 PM, Chad Sellers <csellers@tresys.com> wrote: > Josh's article talks about IPSec labeled networking (as well as using > SECMARK which provides firewall-level networking controls), as opposed to > Netlabel labeled networking. I played with the IPSec-based stuff in Fedora 9 > and everything was there, so I'd imagine it's still there in F10. Just make > sure you install ipsec-tools. > > Chad Sellers > > > On 4/22/09 7:26 AM, "Mark Webb" <elihusmails@gmail.com> wrote: > >> I am interested in experimenting with the labeled networking that SE >> Linux offers. I am reading through Josh Brindle's blog >> >> http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/ >> >> My question is, how do I know if my kernel is capable of supporting >> this? I am currently running Fedora 10 with all the latest updates >> but not sure how to check. >> >> Also if I compile a kernel from source, is there anything that needs >> to be done in the configuring of the kernel build to enable the >> labeled networking? >> >> Thanks, >> Mark >> >> -- >> This message was distributed to subscribers of the selinux mailing list. >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with >> the words "unsubscribe selinux" without quotes as the message. > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: labeled network aware kernel 2009-04-23 3:01 ` Mark Webb @ 2009-04-24 21:44 ` Joy Latten 2009-04-30 3:05 ` Mark Webb 0 siblings, 1 reply; 16+ messages in thread From: Joy Latten @ 2009-04-24 21:44 UTC (permalink / raw) To: Mark Webb; +Cc: selinux Hi Mark, If interested, there are ietf drafts for labeled ipsec, http://www.ietf.org/internet-drafts/draft-jml-ipsec-ikev1-security-context-00.txt and http://www.ietf.org/internet-drafts/draft-jml-ipsec-ikev2-security-context-00.txt. Also, I'd be happy to help by answering any questions. regards, Joy Latten On Wed, 2009-04-22 at 23:01 -0400, Mark Webb wrote: > I am looking at the IPSec-based labeled networking. > > BTW. I will be at the Tresys Advanced Policy course next week. Is > any of this covered there? > > Thanks, > > On Wed, Apr 22, 2009 at 6:21 PM, Chad Sellers <csellers@tresys.com> wrote: > > Josh's article talks about IPSec labeled networking (as well as using > > SECMARK which provides firewall-level networking controls), as opposed to > > Netlabel labeled networking. I played with the IPSec-based stuff in Fedora 9 > > and everything was there, so I'd imagine it's still there in F10. Just make > > sure you install ipsec-tools. > > > > Chad Sellers > > > > > > On 4/22/09 7:26 AM, "Mark Webb" <elihusmails@gmail.com> wrote: > > > >> I am interested in experimenting with the labeled networking that SE > >> Linux offers. I am reading through Josh Brindle's blog > >> > >> http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/ > >> > >> My question is, how do I know if my kernel is capable of supporting > >> this? I am currently running Fedora 10 with all the latest updates > >> but not sure how to check. > >> > >> Also if I compile a kernel from source, is there anything that needs > >> to be done in the configuring of the kernel build to enable the > >> labeled networking? > >> > >> Thanks, > >> Mark > >> > >> -- > >> This message was distributed to subscribers of the selinux mailing list. > >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > >> the words "unsubscribe selinux" without quotes as the message. > > > > > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: labeled network aware kernel 2009-04-24 21:44 ` Joy Latten @ 2009-04-30 3:05 ` Mark Webb 2009-04-30 3:45 ` Justin P. Mattock 2009-04-30 12:01 ` Stephen Smalley 0 siblings, 2 replies; 16+ messages in thread From: Mark Webb @ 2009-04-30 3:05 UTC (permalink / raw) To: selinux I am working to get the labelled IPSec working, following Josh Brindle's blog post (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux). I just want to get the client and server running on loopback, using a fully patched Fedora 10 machine. I have the following keyfile that I pass into setkey: ---------- spdflush; flush; spdadd 127.0.0.1 127.0.0.1 any -ctx 1 1 "system_u:object_r:default_t:s0" -P in ipsec esp/transport//require; spdadd 127.0.0.1 127.0.0.1 any -ctx 1 1 "system_u:object_r:default_t:s0" -P out ipsec esp/transport//require; ---------- I enter the following commands: --- Terminal 1 --- setenforce 0 setkey -f <keyfile> ./server --- Terminal 2 --- # ./client 127.0.0.1 getpeercon: Protocol not available Received: Hello, (null) from (null) --- Terminal 1 --- getsockopt: Protocol not available server: got connection from 127.0.0.1, (null) Not sure what I am missing. I have installed ipsec-tools and started /etc/init.d/racoon. Any help would be appreciated. --Mark On Fri, Apr 24, 2009 at 5:44 PM, Joy Latten <latten@austin.ibm.com> wrote: > Hi Mark, > > If interested, there are ietf drafts for labeled ipsec, > http://www.ietf.org/internet-drafts/draft-jml-ipsec-ikev1-security-context-00.txt > and > http://www.ietf.org/internet-drafts/draft-jml-ipsec-ikev2-security-context-00.txt. > > Also, I'd be happy to help by answering any questions. > > regards, > Joy Latten > > On Wed, 2009-04-22 at 23:01 -0400, Mark Webb wrote: >> I am looking at the IPSec-based labeled networking. >> >> BTW. I will be at the Tresys Advanced Policy course next week. Is >> any of this covered there? >> >> Thanks, >> >> On Wed, Apr 22, 2009 at 6:21 PM, Chad Sellers <csellers@tresys.com> wrote: >> > Josh's article talks about IPSec labeled networking (as well as using >> > SECMARK which provides firewall-level networking controls), as opposed to >> > Netlabel labeled networking. I played with the IPSec-based stuff in Fedora 9 >> > and everything was there, so I'd imagine it's still there in F10. Just make >> > sure you install ipsec-tools. >> > >> > Chad Sellers >> > >> > >> > On 4/22/09 7:26 AM, "Mark Webb" <elihusmails@gmail.com> wrote: >> > >> >> I am interested in experimenting with the labeled networking that SE >> >> Linux offers. I am reading through Josh Brindle's blog >> >> >> >> http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/ >> >> >> >> My question is, how do I know if my kernel is capable of supporting >> >> this? I am currently running Fedora 10 with all the latest updates >> >> but not sure how to check. >> >> >> >> Also if I compile a kernel from source, is there anything that needs >> >> to be done in the configuring of the kernel build to enable the >> >> labeled networking? >> >> >> >> Thanks, >> >> Mark >> >> >> >> -- >> >> This message was distributed to subscribers of the selinux mailing list. >> >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with >> >> the words "unsubscribe selinux" without quotes as the message. >> > >> > >> >> >> -- >> This message was distributed to subscribers of the selinux mailing list. >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with >> the words "unsubscribe selinux" without quotes as the message. > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: labeled network aware kernel 2009-04-30 3:05 ` Mark Webb @ 2009-04-30 3:45 ` Justin P. Mattock 2009-04-30 11:16 ` Mark Webb 2009-04-30 12:01 ` Stephen Smalley 1 sibling, 1 reply; 16+ messages in thread From: Justin P. Mattock @ 2009-04-30 3:45 UTC (permalink / raw) To: Mark Webb; +Cc: selinux On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote: > I am working to get the labelled IPSec working, following Josh > Brindle's blog post > (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux). > I just want to get the client and server running on loopback, using a > fully patched Fedora 10 machine. > > I have the following keyfile that I pass into setkey: > ---------- > spdflush; > > flush; > > spdadd 127.0.0.1 127.0.0.1 any > -ctx 1 1 "system_u:object_r:default_t:s0" > -P in ipsec esp/transport//require; > > spdadd 127.0.0.1 127.0.0.1 any > -ctx 1 1 "system_u:object_r:default_t:s0" > -P out ipsec esp/transport//require; > ---------- > > I enter the following commands: > > --- Terminal 1 --- > setenforce 0 > setkey -f <keyfile> > ./server > > --- Terminal 2 --- > # ./client 127.0.0.1 > getpeercon: Protocol not available > Received: Hello, (null) from (null) > > --- Terminal 1 --- > getsockopt: Protocol not available > server: got connection from 127.0.0.1, (null) > > Not sure what I am missing. I have installed ipsec-tools and started > /etc/init.d/racoon. > > Any help would be appreciated. > > --Mark > > > On Fri, Apr 24, 2009 at 5:44 PM, Joy Latten <latten@austin.ibm.com> wrote: > > Hi Mark, > > > > If interested, there are ietf drafts for labeled ipsec, > > http://www.ietf.org/internet-drafts/draft-jml-ipsec-ikev1-security-context-00.txt > > and > > http://www.ietf.org/internet-drafts/draft-jml-ipsec-ikev2-security-context-00.txt. > > > > Also, I'd be happy to help by answering any questions. > > > > regards, > > Joy Latten > > > > On Wed, 2009-04-22 at 23:01 -0400, Mark Webb wrote: > >> I am looking at the IPSec-based labeled networking. > >> > >> BTW. I will be at the Tresys Advanced Policy course next week. Is > >> any of this covered there? > >> > >> Thanks, > >> > >> On Wed, Apr 22, 2009 at 6:21 PM, Chad Sellers <csellers@tresys.com> wrote: > >> > Josh's article talks about IPSec labeled networking (as well as using > >> > SECMARK which provides firewall-level networking controls), as opposed to > >> > Netlabel labeled networking. I played with the IPSec-based stuff in Fedora 9 > >> > and everything was there, so I'd imagine it's still there in F10. Just make > >> > sure you install ipsec-tools. > >> > > >> > Chad Sellers > >> > > >> > > >> > On 4/22/09 7:26 AM, "Mark Webb" <elihusmails@gmail.com> wrote: > >> > > >> >> I am interested in experimenting with the labeled networking that SE > >> >> Linux offers. I am reading through Josh Brindle's blog > >> >> > >> >> http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/ > >> >> > >> >> My question is, how do I know if my kernel is capable of supporting > >> >> this? I am currently running Fedora 10 with all the latest updates > >> >> but not sure how to check. > >> >> > >> >> Also if I compile a kernel from source, is there anything that needs > >> >> to be done in the configuring of the kernel build to enable the > >> >> labeled networking? > >> >> > >> >> Thanks, > >> >> Mark > >> >> > >> >> -- > >> >> This message was distributed to subscribers of the selinux mailing list. > >> >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > >> >> the words "unsubscribe selinux" without quotes as the message. > >> > > >> > > >> > >> > >> -- > >> This message was distributed to subscribers of the selinux mailing list. > >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > >> the words "unsubscribe selinux" without quotes as the message. > > > > > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. ipsec is tricky(especially with the keys in ipsec.conf) For me I usually would create(as a test) a machine as the server running a shoutcast stream then the client connecting, using etherape as the eyes to see whats happening. In you're case I'm not sure about using one machine as a loop(better than trying to run AH through NAT) Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: labeled network aware kernel 2009-04-30 3:45 ` Justin P. Mattock @ 2009-04-30 11:16 ` Mark Webb 0 siblings, 0 replies; 16+ messages in thread From: Mark Webb @ 2009-04-30 11:16 UTC (permalink / raw) To: Justin P. Mattock; +Cc: selinux That was my guess. I am using ipsec-tools (racoon) with a completely stock configuration. I do not have alot of experience with ipsec-tools, so I wonder if I am missing something in the configuration. Based on responses to this thread, the kernel that I am running with a fully patched Fedora 10 should be OK. Thanks again.. On Wed, Apr 29, 2009 at 11:45 PM, Justin P. Mattock <justinmattock@gmail.com> wrote: > On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote: >> I am working to get the labelled IPSec working, following Josh >> Brindle's blog post >> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux). >> I just want to get the client and server running on loopback, using a >> fully patched Fedora 10 machine. >> >> I have the following keyfile that I pass into setkey: >> ---------- >> spdflush; >> >> flush; >> >> spdadd 127.0.0.1 127.0.0.1 any >> -ctx 1 1 "system_u:object_r:default_t:s0" >> -P in ipsec esp/transport//require; >> >> spdadd 127.0.0.1 127.0.0.1 any >> -ctx 1 1 "system_u:object_r:default_t:s0" >> -P out ipsec esp/transport//require; >> ---------- >> >> I enter the following commands: >> >> --- Terminal 1 --- >> setenforce 0 >> setkey -f <keyfile> >> ./server >> >> --- Terminal 2 --- >> # ./client 127.0.0.1 >> getpeercon: Protocol not available >> Received: Hello, (null) from (null) >> >> --- Terminal 1 --- >> getsockopt: Protocol not available >> server: got connection from 127.0.0.1, (null) >> >> Not sure what I am missing. I have installed ipsec-tools and started >> /etc/init.d/racoon. >> >> Any help would be appreciated. >> >> --Mark >> >> >> On Fri, Apr 24, 2009 at 5:44 PM, Joy Latten <latten@austin.ibm.com> wrote: >> > Hi Mark, >> > >> > If interested, there are ietf drafts for labeled ipsec, >> > http://www.ietf.org/internet-drafts/draft-jml-ipsec-ikev1-security-context-00.txt >> > and >> > http://www.ietf.org/internet-drafts/draft-jml-ipsec-ikev2-security-context-00.txt. >> > >> > Also, I'd be happy to help by answering any questions. >> > >> > regards, >> > Joy Latten >> > >> > On Wed, 2009-04-22 at 23:01 -0400, Mark Webb wrote: >> >> I am looking at the IPSec-based labeled networking. >> >> >> >> BTW. I will be at the Tresys Advanced Policy course next week. Is >> >> any of this covered there? >> >> >> >> Thanks, >> >> >> >> On Wed, Apr 22, 2009 at 6:21 PM, Chad Sellers <csellers@tresys.com> wrote: >> >> > Josh's article talks about IPSec labeled networking (as well as using >> >> > SECMARK which provides firewall-level networking controls), as opposed to >> >> > Netlabel labeled networking. I played with the IPSec-based stuff in Fedora 9 >> >> > and everything was there, so I'd imagine it's still there in F10. Just make >> >> > sure you install ipsec-tools. >> >> > >> >> > Chad Sellers >> >> > >> >> > >> >> > On 4/22/09 7:26 AM, "Mark Webb" <elihusmails@gmail.com> wrote: >> >> > >> >> >> I am interested in experimenting with the labeled networking that SE >> >> >> Linux offers. I am reading through Josh Brindle's blog >> >> >> >> >> >> http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/ >> >> >> >> >> >> My question is, how do I know if my kernel is capable of supporting >> >> >> this? I am currently running Fedora 10 with all the latest updates >> >> >> but not sure how to check. >> >> >> >> >> >> Also if I compile a kernel from source, is there anything that needs >> >> >> to be done in the configuring of the kernel build to enable the >> >> >> labeled networking? >> >> >> >> >> >> Thanks, >> >> >> Mark >> >> >> >> >> >> -- >> >> >> This message was distributed to subscribers of the selinux mailing list. >> >> >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with >> >> >> the words "unsubscribe selinux" without quotes as the message. >> >> > >> >> > >> >> >> >> >> >> -- >> >> This message was distributed to subscribers of the selinux mailing list. >> >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with >> >> the words "unsubscribe selinux" without quotes as the message. >> > >> > >> >> >> -- >> This message was distributed to subscribers of the selinux mailing list. >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with >> the words "unsubscribe selinux" without quotes as the message. > > > ipsec is tricky(especially with the keys in > ipsec.conf) > For me I usually > would create(as a test) a machine > as the server running a shoutcast stream > then the client connecting, using etherape > as the eyes to see whats happening. > In you're case I'm not sure about using > one machine as a loop(better than trying to > run AH through NAT) > > Justin P. Mattock > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: labeled network aware kernel 2009-04-30 3:05 ` Mark Webb 2009-04-30 3:45 ` Justin P. Mattock @ 2009-04-30 12:01 ` Stephen Smalley 2009-04-30 17:42 ` Justin Mattock 2009-05-01 4:06 ` Mark Webb 1 sibling, 2 replies; 16+ messages in thread From: Stephen Smalley @ 2009-04-30 12:01 UTC (permalink / raw) To: Mark Webb; +Cc: selinux On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote: > I am working to get the labelled IPSec working, following Josh > Brindle's blog post > (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux). > I just want to get the client and server running on loopback, using a > fully patched Fedora 10 machine. > > I have the following keyfile that I pass into setkey: > ---------- > spdflush; > > flush; > > spdadd 127.0.0.1 127.0.0.1 any > -ctx 1 1 "system_u:object_r:default_t:s0" > -P in ipsec esp/transport//require; > > spdadd 127.0.0.1 127.0.0.1 any > -ctx 1 1 "system_u:object_r:default_t:s0" > -P out ipsec esp/transport//require; > ---------- > > I enter the following commands: > > --- Terminal 1 --- > setenforce 0 > setkey -f <keyfile> > ./server > > --- Terminal 2 --- > # ./client 127.0.0.1 > getpeercon: Protocol not available > Received: Hello, (null) from (null) > > --- Terminal 1 --- > getsockopt: Protocol not available > server: got connection from 127.0.0.1, (null) > > Not sure what I am missing. I have installed ipsec-tools and started > /etc/init.d/racoon. > > Any help would be appreciated. IPSEC and loopback don't generally get along very well. Try: echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm Might want to also read through an old bug report on this issue, https://bugzilla.redhat.com/show_bug.cgi?id=218386 -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: labeled network aware kernel 2009-04-30 12:01 ` Stephen Smalley @ 2009-04-30 17:42 ` Justin Mattock 2009-05-01 3:39 ` Mark Webb 2009-05-01 4:06 ` Mark Webb 1 sibling, 1 reply; 16+ messages in thread From: Justin Mattock @ 2009-04-30 17:42 UTC (permalink / raw) To: Stephen Smalley; +Cc: Mark Webb, selinux On Thu, Apr 30, 2009 at 5:01 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote: >> I am working to get the labelled IPSec working, following Josh >> Brindle's blog post >> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux). >> I just want to get the client and server running on loopback, using a >> fully patched Fedora 10 machine. >> >> I have the following keyfile that I pass into setkey: >> ---------- >> spdflush; >> >> flush; >> >> spdadd 127.0.0.1 127.0.0.1 any >> -ctx 1 1 "system_u:object_r:default_t:s0" >> -P in ipsec esp/transport//require; >> >> spdadd 127.0.0.1 127.0.0.1 any >> -ctx 1 1 "system_u:object_r:default_t:s0" >> -P out ipsec esp/transport//require; >> ---------- >> >> I enter the following commands: >> >> --- Terminal 1 --- >> setenforce 0 >> setkey -f <keyfile> >> ./server >> >> --- Terminal 2 --- >> # ./client 127.0.0.1 >> getpeercon: Protocol not available >> Received: Hello, (null) from (null) >> >> --- Terminal 1 --- >> getsockopt: Protocol not available >> server: got connection from 127.0.0.1, (null) >> >> Not sure what I am missing. I have installed ipsec-tools and started >> /etc/init.d/racoon. >> >> Any help would be appreciated. > > IPSEC and loopback don't generally get along very well. Try: > echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy > echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm > > Might want to also read through an old bug report on this issue, > https://bugzilla.redhat.com/show_bug.cgi?id=218386 > > -- > Stephen Smalley > National Security Agency > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. > >From what I remember, I just used(ipsec-tools) /etc/ipsec.conf to deal with the key exchange, and handling of AH and ESP encapsulation(racoon is another approach) main area is setting up the keys so the two machines can exchange. google around to find an already configured ipsec.conf(saves you the energy of going crazy with a long line of numbers) this way you just need to set the ip's. At the moment I've been trying to get ekiga to work with ipsec(if I can get the dang thing to compiled right). -- Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: labeled network aware kernel 2009-04-30 17:42 ` Justin Mattock @ 2009-05-01 3:39 ` Mark Webb 2009-05-01 4:23 ` Justin Mattock 0 siblings, 1 reply; 16+ messages in thread From: Mark Webb @ 2009-05-01 3:39 UTC (permalink / raw) To: Justin Mattock; +Cc: Stephen Smalley, selinux racoon comes with ipsec-tools, and there is not much documentation to go on. Still working through it though.. On Thu, Apr 30, 2009 at 1:42 PM, Justin Mattock <justinmattock@gmail.com> wrote: > On Thu, Apr 30, 2009 at 5:01 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: >> On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote: >>> I am working to get the labelled IPSec working, following Josh >>> Brindle's blog post >>> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux). >>> I just want to get the client and server running on loopback, using a >>> fully patched Fedora 10 machine. >>> >>> I have the following keyfile that I pass into setkey: >>> ---------- >>> spdflush; >>> >>> flush; >>> >>> spdadd 127.0.0.1 127.0.0.1 any >>> -ctx 1 1 "system_u:object_r:default_t:s0" >>> -P in ipsec esp/transport//require; >>> >>> spdadd 127.0.0.1 127.0.0.1 any >>> -ctx 1 1 "system_u:object_r:default_t:s0" >>> -P out ipsec esp/transport//require; >>> ---------- >>> >>> I enter the following commands: >>> >>> --- Terminal 1 --- >>> setenforce 0 >>> setkey -f <keyfile> >>> ./server >>> >>> --- Terminal 2 --- >>> # ./client 127.0.0.1 >>> getpeercon: Protocol not available >>> Received: Hello, (null) from (null) >>> >>> --- Terminal 1 --- >>> getsockopt: Protocol not available >>> server: got connection from 127.0.0.1, (null) >>> >>> Not sure what I am missing. I have installed ipsec-tools and started >>> /etc/init.d/racoon. >>> >>> Any help would be appreciated. >> >> IPSEC and loopback don't generally get along very well. Try: >> echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy >> echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm >> >> Might want to also read through an old bug report on this issue, >> https://bugzilla.redhat.com/show_bug.cgi?id=218386 >> >> -- >> Stephen Smalley >> National Security Agency >> >> >> -- >> This message was distributed to subscribers of the selinux mailing list. >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with >> the words "unsubscribe selinux" without quotes as the message. >> > > From what I remember, I just used(ipsec-tools) > /etc/ipsec.conf to deal with the > key exchange, and handling of > AH and ESP encapsulation(racoon is another approach) > > main area is setting up the keys so the two > machines can exchange. > google around to find an already configured > ipsec.conf(saves you the energy of going crazy with > a long line of numbers) this way you just need to set > the ip's. > > At the moment I've been trying to get ekiga to > work with ipsec(if I can get the dang thing to compiled > right). > > > -- > Justin P. Mattock > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: labeled network aware kernel 2009-05-01 3:39 ` Mark Webb @ 2009-05-01 4:23 ` Justin Mattock 0 siblings, 0 replies; 16+ messages in thread From: Justin Mattock @ 2009-05-01 4:23 UTC (permalink / raw) To: Mark Webb; +Cc: Stephen Smalley, selinux On Thu, Apr 30, 2009 at 8:39 PM, Mark Webb <elihusmails@gmail.com> wrote: > racoon comes with ipsec-tools, and there is not much documentation to > go on. Still working through it though.. > > > On Thu, Apr 30, 2009 at 1:42 PM, Justin Mattock <justinmattock@gmail.com> wrote: >> On Thu, Apr 30, 2009 at 5:01 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: >>> On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote: >>>> I am working to get the labelled IPSec working, following Josh >>>> Brindle's blog post >>>> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux). >>>> I just want to get the client and server running on loopback, using a >>>> fully patched Fedora 10 machine. >>>> >>>> I have the following keyfile that I pass into setkey: >>>> ---------- >>>> spdflush; >>>> >>>> flush; >>>> >>>> spdadd 127.0.0.1 127.0.0.1 any >>>> -ctx 1 1 "system_u:object_r:default_t:s0" >>>> -P in ipsec esp/transport//require; >>>> >>>> spdadd 127.0.0.1 127.0.0.1 any >>>> -ctx 1 1 "system_u:object_r:default_t:s0" >>>> -P out ipsec esp/transport//require; >>>> ---------- >>>> >>>> I enter the following commands: >>>> >>>> --- Terminal 1 --- >>>> setenforce 0 >>>> setkey -f <keyfile> >>>> ./server >>>> >>>> --- Terminal 2 --- >>>> # ./client 127.0.0.1 >>>> getpeercon: Protocol not available >>>> Received: Hello, (null) from (null) >>>> >>>> --- Terminal 1 --- >>>> getsockopt: Protocol not available >>>> server: got connection from 127.0.0.1, (null) >>>> >>>> Not sure what I am missing. I have installed ipsec-tools and started >>>> /etc/init.d/racoon. >>>> >>>> Any help would be appreciated. >>> >>> IPSEC and loopback don't generally get along very well. Try: >>> echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy >>> echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm >>> >>> Might want to also read through an old bug report on this issue, >>> https://bugzilla.redhat.com/show_bug.cgi?id=218386 >>> >>> -- >>> Stephen Smalley >>> National Security Agency >>> >>> >>> -- >>> This message was distributed to subscribers of the selinux mailing list. >>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with >>> the words "unsubscribe selinux" without quotes as the message. >>> >> >> From what I remember, I just used(ipsec-tools) >> /etc/ipsec.conf to deal with the >> key exchange, and handling of >> AH and ESP encapsulation(racoon is another approach) >> >> main area is setting up the keys so the two >> machines can exchange. >> google around to find an already configured >> ipsec.conf(saves you the energy of going crazy with >> a long line of numbers) this way you just need to set >> the ip's. >> >> At the moment I've been trying to get ekiga to >> work with ipsec(if I can get the dang thing to compiled >> right). >> >> >> -- >> Justin P. Mattock >> > yep, but I think it provides other ways for key exchanges, here is what I am using: http://www.linuxfromscratch.org/hints/downloads/files/ipsec.txt I used this configuration about a year ago, worked like a charm!! -- Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: labeled network aware kernel 2009-04-30 12:01 ` Stephen Smalley 2009-04-30 17:42 ` Justin Mattock @ 2009-05-01 4:06 ` Mark Webb 1 sibling, 0 replies; 16+ messages in thread From: Mark Webb @ 2009-05-01 4:06 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux Thanks for the help. I am going to get another machine set up so that I am not using loopback any more. After tinkering with things a bit, I found that running the command: echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm gets things working. The other command seemed to disable loopback communication. On Thu, Apr 30, 2009 at 8:01 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Wed, 2009-04-29 at 23:05 -0400, Mark Webb wrote: >> I am working to get the labelled IPSec working, following Josh >> Brindle's blog post >> (http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux). >> I just want to get the client and server running on loopback, using a >> fully patched Fedora 10 machine. >> >> I have the following keyfile that I pass into setkey: >> ---------- >> spdflush; >> >> flush; >> >> spdadd 127.0.0.1 127.0.0.1 any >> -ctx 1 1 "system_u:object_r:default_t:s0" >> -P in ipsec esp/transport//require; >> >> spdadd 127.0.0.1 127.0.0.1 any >> -ctx 1 1 "system_u:object_r:default_t:s0" >> -P out ipsec esp/transport//require; >> ---------- >> >> I enter the following commands: >> >> --- Terminal 1 --- >> setenforce 0 >> setkey -f <keyfile> >> ./server >> >> --- Terminal 2 --- >> # ./client 127.0.0.1 >> getpeercon: Protocol not available >> Received: Hello, (null) from (null) >> >> --- Terminal 1 --- >> getsockopt: Protocol not available >> server: got connection from 127.0.0.1, (null) >> >> Not sure what I am missing. I have installed ipsec-tools and started >> /etc/init.d/racoon. >> >> Any help would be appreciated. > > IPSEC and loopback don't generally get along very well. Try: > echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy > echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm > > Might want to also read through an old bug report on this issue, > https://bugzilla.redhat.com/show_bug.cgi?id=218386 > > -- > Stephen Smalley > National Security Agency > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2009-05-01 4:23 UTC | newest] Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2009-04-22 11:26 labeled network aware kernel Mark Webb 2009-04-22 15:41 ` Xavier Toth 2009-04-22 22:16 ` Paul Moore 2009-04-23 3:05 ` Mark Webb 2009-04-23 16:33 ` Paul Moore 2009-04-22 22:21 ` Chad Sellers 2009-04-23 3:01 ` Mark Webb 2009-04-24 21:44 ` Joy Latten 2009-04-30 3:05 ` Mark Webb 2009-04-30 3:45 ` Justin P. Mattock 2009-04-30 11:16 ` Mark Webb 2009-04-30 12:01 ` Stephen Smalley 2009-04-30 17:42 ` Justin Mattock 2009-05-01 3:39 ` Mark Webb 2009-05-01 4:23 ` Justin Mattock 2009-05-01 4:06 ` Mark Webb
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.