Re: netlabel: UNLABELED ath9k not denying unlabeled traffic

[Justin P. Mattock]

Paul Moore wrote:
> On Wednesday 14 January 2009 12:18:18 am Justin P. Mattock wrote:
>   
> > When using netlabelctl on a dell laptop
> > I'm able to define the addresses that I want:
> >
> > netlabelctl unlbl add interface:wlan0 address:<radiostation>
> > label:system_u:object_r:netlabel_peer_t:s0
> > netlabelctl unlbl add interface:wlan0 address:<myaddress>
> > label:system_u:object_r:netlabel_peer_t:s0
> > netlabelctl  -p unlbl accept off
> >
> > {the above was from http://paulmoore.livejournal.com/1758.html };
> >     
>
> Hey, somebody actually reads that stuff!  I guess I'll need to be 
> careful what I write from now on :)
>
> Hi Justin, on a more serious note, if you are having problems with 
> labeled networking it's probably a good idea to CC the SELinux, LSM 
> and/or netdev lists depending on the issue as I often miss mail if it 
> is only posted to LKML.  When in doubt you can just CC me personally 
> (paul.moore@xxxxxx) and I'll add whatever list seems appropriate.
>
>   
> > (I'm able to listen to the radio station allowed, then if I choose
> > another station; if I haven't defined an address like the above,
> > mplayer just sits there.denying the unlabeled packet. that is until I
> > allow the address);
> >     
>
> Good, that is how it should work give the configuration shown above.
>
>   
> > The problem I have is when I do the same on my macbook pro ati
> > chipset. with the ath9k module, I'm able to listen to any station,
> > search the web etc..
> > it seems netlabelctl  -p unlbl accept off makes no difference if it's
> > on or off.
> >
> > Is this built into ath9k yet, or is there something I'm missing?
> >     
>
> That is just plain odd, there isn't really anything that is driver 
> specific.  Can you share any more details like kernel version, 
> netlabel_tools verion, distro, etc?  I don't have any ath9k hardware 
> lying around to test so I would appreciate whatever additional 
> information you can provide.
>
>   
Hey alright.(I finally got around to  trying netlabelctl out!).

The two systems I have for this are: Dell latitude x200
running ubuntu jaunty, kernel is 2.6.29-rc1.
with netlabel_tools_0.18 which was an rpm packaged
that I converted to .deb.(can't remember the repository where I grabbed 
it from);
The wireless card for the dell is a dell 1350
using bcmxx(b43-phy0); works great.

The results when using netlabelctl with the dell is nice, i.g. like I said
as soon as I issue netlabelctl unlbl accept off, those addresses not defined
are simply not allowed.(the problem with the dell is I'm not seeing
any allow rules being generated: i.g.

allow netlabel_peer_t netif_t:netif ingress;
allow netlabel_peer_t node_t:node recvfrom;
allow unlabeled_t netif_t:netif ingress;
allow unlabeled_t node_t:node recvfrom;

The next is a macbookpro ati chipset the kernel is 2.6.29-rc1
the o.s. is ubuntu jaunty, the netlabel_tools is the same as above.
the only results I see out of this is the avc's it's generating
(the allow rules above are from the macbook);
some reason the dell doesn't generate any avc's,
which makes me wonder is this a module issue.

Also I've gone through thinking, well maybe this is avc's driven,
i.g. each address once added by netlabelctl receives a certain allow rule
(like the allow rules above),
if not either no allow rule is given to it,resulting in a denial you 
can't see in dmesg,
or a denial that just won't be allowed by checkpolicy.
So after seeing if this was the case I was left with  an address defined by
netlabel(allowed) and defined the allow rules that it had created.
unfortunately after all of that I still was able to turn on another radio
station  that had  no  address  in netlabelctl's  unlbl database.(and no 
allow rule
with SELinux);
leading me to believe that the netlabel area or driver isn't working
properly. or just told to not enforce the netlabel accept off option.

As for the list, I have linux-wireless in my address book(not sure which 
is right);

regards;

Justin P. Mattock



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/