On Thu, 7 Feb 2008 14:50:41 -0500
Paul Moore <[email protected]> wrote:
> On Thursday 07 February 2008 2:02:06 pm [email protected] wrote:
> > The patch titled
> > Smack: unlabeled outgoing ambient packets
> > has been added to the -mm tree. Its filename is
> > smack-unlabeled-outgoing-ambient-packets.patch
> >
> > Before you just go and hit "reply", please:
> > a) Consider who else should be cc'ed
> > b) Prefer to cc a suitable mailing list as well
> > c) Ideally: find the original patch on the mailing list and do a
> > reply-to-all to that, adding suitable additional cc's
>
> I didn't see this patch hit any of the relevant mailing lists (am I missing
> one somewhere?) so I'm just CC'ing everyone on the To/CC line, minus
> mm-commits.
It was on linux-kernel and netdev. I've restored those cc's.
> > ------------------------------------------------------
> > Subject: Smack: unlabeled outgoing ambient packets
> > From: Casey Schaufler <[email protected]>
> >
> > Smack uses CIPSO labeling, but allows for unlabeled packets by specifying
> > an "ambient" label that is applied to incoming unlabeled packets. Because
> > the other end of the connection may dislike IP options, and ssh is one know
> > application that behaves thus, it is prudent to respond in kind. This
> > patch changes the network labeling behavior such that an outgoing packet
> > that would be given a CIPSO label that matches the ambient label is left
> > unlabeled.
>
> I suppose you are entitled to use NetLabel however you want, so long as it
> works and doesn't cause problems for other users, but I think you are
> starting down a rather ugly road with this patch. In my mind a cleaner
> solution would be to make of use of the built-in NetLabel/LSM domain mapping
> functionality to accomplish the same thing. In other words, there is already
> a mechanism to do what you want, it's probably a good idea to make use of it
> instead of recreating it.
>
> I would suggest that when you set the NetLabel security attributes for a
> socket you set the domain field to the smack label (see the SELinux code for
> an example, if you are unsure see selinux_netlbl_sock_setsid() and
> security_netlbl_sid_to_secattr()). Once you do that you should continue to
> set the default NetLabel domain mapping to send CIPSO tagged packets but also
> create a new NetLabel domain mapping so that the ambient smack label causes
> packets to be sent "unlabeled". The only other change you would have to make
> is to ensure that the NetLabel domain mappings are kept in sync with any
> ambient label changes (should be easy enough and a rather infrequent
> operation in practice).
>
> This also should have the advantage of making your life easier if/when more
> advanced labeled network controls are added to Smack (see the SELinux changes
> made in 2.6.25 and our previous discussions).
>
On Thursday 07 February 2008 3:04:59 pm Andrew Morton wrote:
> On Thu, 7 Feb 2008 14:50:41 -0500
>
> Paul Moore <[email protected]> wrote:
> > On Thursday 07 February 2008 2:02:06 pm [email protected] wrote:
> > > The patch titled
> > > Smack: unlabeled outgoing ambient packets
> > > has been added to the -mm tree. Its filename is
> > > smack-unlabeled-outgoing-ambient-packets.patch
> > >
> > > Before you just go and hit "reply", please:
> > > a) Consider who else should be cc'ed
> > > b) Prefer to cc a suitable mailing list as well
> > > c) Ideally: find the original patch on the mailing list and do a
> > > reply-to-all to that, adding suitable additional cc's
> >
> > I didn't see this patch hit any of the relevant mailing lists (am I
> > missing one somewhere?) so I'm just CC'ing everyone on the To/CC line,
> > minus mm-commits.
>
> It was on linux-kernel and netdev. I've restored those cc's.
My apologies, those mailing list postings there haven't hit my inbox yet.
--
paul moore
linux security @ hp
From: Andrew Morton <[email protected]>
Date: Thu, 7 Feb 2008 12:04:59 -0800
> It was on linux-kernel and netdev. I've restored those cc's.
Perhaps Paul missed it because his email address was bouncing with
"user unknown" errors a few days ago so he got removed from all the
mailing lists @ vger :-)
From: Paul Moore <[email protected]>
Date: Thu, 7 Feb 2008 15:14:34 -0500
> My apologies, those mailing list postings there haven't hit my inbox yet.
I had to remove you a few days ago, see my other reply to
Andrew.
You are back on the lists now, so I hope that bounce problem
has been solved.
On Thursday 07 February 2008 8:34:02 pm David Miller wrote:
> From: Paul Moore <[email protected]>
> Date: Thu, 7 Feb 2008 15:14:34 -0500
>
> > My apologies, those mailing list postings there haven't hit my inbox yet.
>
> I had to remove you a few days ago, see my other reply to
> Andrew.
>
> You are back on the lists now, so I hope that bounce problem
> has been solved.
Yeah, that discussion with Andrew made me look a bit deeper at my mail folders
and I realized the last message I received from any of the vger.kernel.org
mailing lists was late Tuesday night ... I thought Wednesday was awfully
quiet :/
I have no idea what was causing the mail problem, probably somebody in our IT
department playing around with some new knobs, oh well. I resubscribed this
afternoon with both fingers crossed.
--
paul moore
linux security @ hp
From: Paul Moore <[email protected]>
Date: Thu, 7 Feb 2008 20:54:56 -0500
> I have no idea what was causing the mail problem, probably somebody
> in our IT department playing around with some new knobs, oh well. I
> resubscribed this afternoon with both fingers crossed.
In the future please contact [email protected] when you
notice you have been unsubscribed so we can work on fixing the
issue.
Blind resubscriptions are severely frowned upon, we remove you for
good reason and if the problem isn't solved you'll just soil up my
inbox further with bounces....
On Thursday 07 February 2008 9:15:19 pm David Miller wrote:
> From: Paul Moore <[email protected]>
> Date: Thu, 7 Feb 2008 20:54:56 -0500
>
> > I have no idea what was causing the mail problem, probably somebody
> > in our IT department playing around with some new knobs, oh well. I
> > resubscribed this afternoon with both fingers crossed.
>
> In the future please contact [email protected] when you
> notice you have been unsubscribed so we can work on fixing the
> issue.
>
> Blind resubscriptions are severely frowned upon, we remove you for
> good reason and if the problem isn't solved you'll just soil up my
> inbox further with bounces....
Both points noted for future reference. While the end result is the same, I
can promise you my actions are not maliciously stupid, just ignorantly
stupid ;)
--
paul moore
linux security @ hp
> > > ------------------------------------------------------
> > > Subject: Smack: unlabeled outgoing ambient packets
> > > From: Casey Schaufler <[email protected]>
> > >
> > > Smack uses CIPSO labeling, but allows for unlabeled packets by
> > > specifying an "ambient" label that is applied to incoming
> > > unlabeled packets. Because the other end of the connection may
> > > dislike IP options, and ssh is one know application that behaves
> > > thus ...
I forgot to mention this earlier, but RHEL/Fedora/Rawhide has a patched
version of SSH (see RH bugzilla #202856 for the discussion/patch) that
fixes the problem of IPv4 options causing SSH to reject the connection.
It turns out that SSH is being a bit overzealous (rejecting all IPv4
options) in trying to reject source-routed packets.
--
paul moore
linux security @ hp