Re: SMACK netfilter smacklabel socket match

From: Tilman Baumann
Date: Wed Oct 01 2008 - 12:56:10 EST

Next message: Fenghua Yu: "[PATCH 0/2]Add Variable Page Size and IA64 Support in Intel IOMMU"
Previous message: Alan Cox: "[PATCH] Rationalise email addresses"
In reply to: Casey Schaufler: "Re: SMACK netfilter smacklabel socket match"
Next in thread: Casey Schaufler: "Re: SMACK netfilter smacklabel socket match"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Casey Schaufler wrote:

Tilman Baumann wrote:
Casey Schaufler wrote:
Smack will eventually bite you if you're not careful, but users of
MAC systems wouldn't be surprised by that.

Speaking of the devil...
This is exactly what happened to me right now. I have problems with _some_ https connects. The problem lies somewhere in openssl.
I did not yet find any clue with strace.
Is there some straight forward way to audit/debug LSM interventions?

strace is probably your best bet, as it will tell you what syscalls
fail. Your current situation is most likely a case where your program
running with a label "Foo" is trying to communicate with a service on
a machine that doesn't talk CIPSO and hence Smack is treating all
packets to and from that host with the ambient (%cat /smack/ambient)
label, which is "_" unless you've changed it.

Yea, I just found that out.
I did not expect smack to add netlabels by default. I thought I would need to configure something before it will start adding netlabels 'on the wire'.
In my case 'security' is something that should only concern the local machine.
Unfortunately I never bothered to test this before. :-/

If I set /smack/nltype to 'unlabeled' I have effectively shut off the network.
I guess I'm missing some essential point here.
Sorry to bother you with such trivialities.

btw. I find it very hard to find informations on the various files in /smack/ and it's respective intention and formating rules. security/smack/smackfs.c helps a bit.

This is my current setup:
/smack/ambient (default)
/smack/load = _ foo rwx
Unlabeled process work fine.
Labeled processes produce CIPSO labeled packets (which never get any answer anywhere from the internet)

If i set /smack/nltype to 'unlabled' i don't even get SYN packets out. (operation not permitted)

--
Tilman Baumann
Software Developer
Collax GmbH . Boetzinger Strasse 60 . 79111 Freiburg . Germany

p: +49 (0) 89-990157-0
f: +49 (0) 89-990157-11

Geschaeftsfuehrer: William K. Hite / Boris Nalbach
AG Muenchen HRB 158898, Ust.-IdNr: DE 814464942
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Fenghua Yu: "[PATCH 0/2]Add Variable Page Size and IA64 Support in Intel IOMMU"
Previous message: Alan Cox: "[PATCH] Rationalise email addresses"
In reply to: Casey Schaufler: "Re: SMACK netfilter smacklabel socket match"
Next in thread: Casey Schaufler: "Re: SMACK netfilter smacklabel socket match"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]