Comments | paulmoore: NetLabel Address Selectors Explained

paulmoore

NetLabel Address Selectors Explained

Feb 13, 2009 16:38

One of the biggest differences between NetLabel and the labeled networking mechanisms of existing Trusted OSs is how outbound traffic is selected for labeling. Ever since NetLabel was first introduced in kernel 2.6.19 the on-the-wire outbound labeling protocol was determined by the label of the sending application's socket. Despite the departure ( Read more... )

netlabel, documentation, kernel

Comments 6

anonymous June 8 2009, 19:30:08 UTC

So as I understand, netlabel is a way to mark a packet not only locally (like -j MARK) but inter-router too, so complex decision can be made on remote routers, how to deal with traffic

paulmoore June 8 2009, 21:42:23 UTC

The short answer to your question is yes. The long answer is that NetLabel is a labeled networking framework which handles network peer labels for SELinux and Smack using both on-the-wire packet labeling protocols and fallback/static labels. Network labeling protocols, such as CIPSO, allow intermediate nodes, such as routers, to apply security policy to individual packets flowing through the node. The fallback/static labeling provided by NetLabel allows the local system to assign a "fallback" network peer label to networks or systems that do not support labeling protocols.

zkzk July 13 2013, 07:25:07 UTC

Hi,paul.moore ( ... )

paulmoore August 21 2013, 21:18:42 UTC

Hello,

Some answers that should help:

1. The LSM "domain" is a term that has a different meaning depending on the LSM; for SELinux the "domain" would be the SELinux type or domain, e.g. unconfined_t.

2. I think the answer in #1 above should help answer this question.

3. Smack does things a bit differently than SELinux when it comes to NetLabel. When using Smack you should refrain from using the netlabelctl tool as the Smack kernel will handle all of the NetLabel configuration for you.

Good luck!

anonymous August 20 2013, 22:14:04 UTC

Hi Paul, I am trying to setup a rhel6 mls system to communicate with a non-rhel6 cipso system. The rhel6 system has s0 to s15 levels and c0 to c1023 categories. Because the cipso system's numerical level values go up to 255, I am playing with netlabel "trans" rules to map levels. I was wondering if you could confirm/comment on my following observations. Especially if there is an easier way to do what I am trying to do with this (without recompiling the rhel6 mls policy to have 255 sensitivity levels ( ... )

paulmoore August 21 2013, 21:14:48 UTC

Hi Janak,

Here are the answers to your questions:

1. Yes, translation mode is only supported with tag type #1. It could be expanded to the other tag types, but it doesn't make as much sense for tag types #2 and #5; the translation mode was created as a workaround for the limited IPv4 header space.

2. No, wildcards are not presently supported.

3. It is entirely possible there is a limit or a bug in the NetLabel netlink code, we had a similar issue when dumping large numbers of static label configurations that was fixed recently. This is something we can look at, but I think it is best to first ask what you are trying to do, often times there may be another, easier solution ...