selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Paul Moore <paul@paul-moore.com>
To: Topi Miettinen <toiwoton@gmail.com>
Cc: selinux@vger.kernel.org
Subject: Re: [PATCH v2] Improve network_support.md
Date: Tue, 28 Jul 2020 18:00:50 -0400	[thread overview]
Message-ID: <CAHC9VhSmF9oUoR2LT=T8Gs5Wz8m7DRWD=_h7fubBa2W19xJS5A@mail.gmail.com> (raw)
In-Reply-To: <62d3c8f0-38a4-a71b-5f09-36e5287d3d08@gmail.com>

On Tue, Jul 28, 2020 at 6:30 AM Topi Miettinen <toiwoton@gmail.com> wrote:
> On 28.7.2020 5.44, Paul Moore wrote:
> > On Mon, Jul 27, 2020 at 9:04 AM Topi Miettinen <toiwoton@gmail.com> wrote:
> >>
> >> List all access control methods available for networking and provide
> >> examples for each.
> >>
> >> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
> >>
> >> ---
> >> v2: address comments from Richard Haines
> >> ---
> >>   src/network_statements.md |   2 +-
> >>   src/network_support.md    | 170 +++++++++++++++++++++++++++++++++-----
> >>   2 files changed, 150 insertions(+), 22 deletions(-)
> >>
> >> diff --git a/src/network_statements.md b/src/network_statements.md
> >> index ef1c873..357c3b1 100644
> >> --- a/src/network_statements.md
> >> +++ b/src/network_statements.md
> >> @@ -102,7 +102,7 @@ the interface to a security context.
> >>   <tr>
> >>   <td><code>packet_context</code></td>
> >>   <td><p>The security context allocated packets. Note that these are defined but unused.</p>
> >> -<p>The iptables(8)/nftables(8) <a href="network_support.md#secmark">SECMARK services</a> should be used to label packets.</p></td>
> >> +<p>The iptables(8)/nftables(8) <a href="network_support.md#internal-labeling-secmark">SECMARK services</a> should be used to label packets.</p></td>
> >>   </tr>
> >>   </tbody>
> >>   </table>
> >> diff --git a/src/network_support.md b/src/network_support.md
> >> index 309e863..6f9896b 100644
> >> --- a/src/network_support.md
> >> +++ b/src/network_support.md
> >> @@ -1,20 +1,17 @@
> >>   # SELinux Networking Support
> >>
> >> -SELinux supports the following types of network labeling:
> >> +SELinux supports several methods for access control of networks. These are
> >>
> >> -**Internal labeling** - This is where network objects are labeled and
> >> -managed internally within a single machine (i.e. their labels are not
> >> -transmitted as part of the session with remote systems). There are two
> >> -types supported: SECMARK and NetLabel. There was a service known as
> >> -'compat_net' controls, however that was removed in kernel 2.6.30.
> >> +* Packet labeling: class `packet`
> >> +* Peer labeling: class `peer`
> >> +* Interface control: class `netif`
> >> +* Network node control: class `node`
> >> +* TCP/UDP/SCTP/DCCP ports: class `port`
> >
> > For whatever it is worth, I've always thought of the SELinux network
> > access controls as being composed of two parts: socket layer controls
> > and packet layer controls (or per-packet controls).  The packet layer
> > controls are further divided into the "peer" and "secmark" controls.
>
> This could be a more easily understandable way to describe the access
> controls, at least `port` would fall to socket layer controls nicely.

Yes, I personally think it is better way to explain the network access controls.

> Would this division work with netifs and nodes?

I'm not entirely clear on the question, but both the netif/node
ingress and egress controls fall into the packet layer.


> >> -To support peer labeling, CIPSO and CALIPSO the NetLabel tools need to
> >> -be installed:
> >> +SELinux supports the following types of network labeling:
> >> +
> >> +**Internal labeling** - This is where network objects are labeled and
> >> +managed internally within a single machine (i.e. their labels are not
> >> +transmitted as part of the session with remote systems). There are two
> >> +types supported: SECMARK and NetLabel. There was a service known as
> >> +'compat_net' controls, however that was removed in kernel 2.6.30.
> >
> > Using your terminology, NetLabel is external or "labeled networking".
>
> It's not my terminology, the text is just moved down.

My apologies, using the *existing* terminology ...

> I think
> fallback/static labeling part of NetLabel is not external, the labeling
> happens internally and the labels are not transmitted.

I guess this is another problem with the "internal" vs "external"
approach to the current text.  I prefer to think in terms of how the
access controls are structured, and as far as SELinux is concerned it
only has to worry about calling the general NetLabel APIs; it doesn't
matter if CIPSO, CALIPSO, or the static/fallback labeling is
concerned, it's all the same.

Things get more complicated if you start digging into individual
protocols.  Look at the different CIPSO tag types, vs the tagless
approach taken in CALIPSO.  Not to mention the way labeled IPsec
works; people get enamored by the encryption/authentication aspects,
but it's really a very poor fit for SELinux.  There are a number of
problems caused by the fact that labeled IPsec is an implicit labeling
mechanism that labels SAs and not packets, there are issues around
ensuring all of the labels have the same (or close enough) meaning on
both systems, and it is likely only to ever work between the SELinux
systems.

-- 
paul moore
www.paul-moore.com

      reply	other threads:[~2020-07-28 22:01 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-27 13:04 [PATCH v2] Improve network_support.md Topi Miettinen
2020-07-27 13:57 ` Dominick Grift
2020-07-27 15:21   ` Topi Miettinen
2020-07-27 15:39     ` Dominick Grift
2020-07-27 20:20       ` Topi Miettinen
2020-07-27 20:36         ` Dominick Grift
2020-07-27 21:44           ` Topi Miettinen
2020-07-28  3:12             ` Paul Moore
2020-07-28  3:08           ` Paul Moore
2020-07-28  2:57       ` Paul Moore
2020-07-28  2:49   ` Paul Moore
2020-07-28  2:44 ` Paul Moore
2020-07-28 10:30   ` Topi Miettinen
2020-07-28 22:00     ` Paul Moore [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAHC9VhSmF9oUoR2LT=T8Gs5Wz8m7DRWD=_h7fubBa2W19xJS5A@mail.gmail.com' \
    --to=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    --cc=toiwoton@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).