LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* Re: + smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree
       [not found] ` <200802071450.41529.paul.moore@hp.com>
@ 2008-02-07 20:04   ` Andrew Morton
  2008-02-07 20:14     ` Paul Moore
                       ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Andrew Morton @ 2008-02-07 20:04 UTC (permalink / raw)
  To: Paul Moore; +Cc: casey, davem, jmorris, mingo, sds, linux-kernel, netdev

On Thu, 7 Feb 2008 14:50:41 -0500
Paul Moore <paul.moore@hp.com> wrote:

> On Thursday 07 February 2008 2:02:06 pm akpm@linux-foundation.org wrote:
> > The patch titled
> >      Smack: unlabeled outgoing ambient packets
> > has been added to the -mm tree.  Its filename is
> >      smack-unlabeled-outgoing-ambient-packets.patch
> >
> > Before you just go and hit "reply", please:
> >    a) Consider who else should be cc'ed
> >    b) Prefer to cc a suitable mailing list as well
> >    c) Ideally: find the original patch on the mailing list and do a
> >       reply-to-all to that, adding suitable additional cc's
> 
> I didn't see this patch hit any of the relevant mailing lists (am I missing 
> one somewhere?) so I'm just CC'ing everyone on the To/CC line, minus 
> mm-commits.

It was on linux-kernel and netdev.  I've restored those cc's.

> > ------------------------------------------------------
> > Subject: Smack: unlabeled outgoing ambient packets
> > From: Casey Schaufler <casey@schaufler-ca.com>
> >
> > Smack uses CIPSO labeling, but allows for unlabeled packets by specifying
> > an "ambient" label that is applied to incoming unlabeled packets.  Because
> > the other end of the connection may dislike IP options, and ssh is one know
> > application that behaves thus, it is prudent to respond in kind.  This
> > patch changes the network labeling behavior such that an outgoing packet
> > that would be given a CIPSO label that matches the ambient label is left
> > unlabeled.
> 
> I suppose you are entitled to use NetLabel however you want, so long as it 
> works and doesn't cause problems for other users, but I think you are 
> starting down a rather ugly road with this patch.  In my mind a cleaner 
> solution would be to make of use of the built-in NetLabel/LSM domain mapping 
> functionality to accomplish the same thing.  In other words, there is already 
> a mechanism to do what you want, it's probably a good idea to make use of it 
> instead of recreating it.
> 
> I would suggest that when you set the NetLabel security attributes for a 
> socket you set the domain field to the smack label (see the SELinux code for 
> an example, if you are unsure see selinux_netlbl_sock_setsid() and 
> security_netlbl_sid_to_secattr()).  Once you do that you should continue to 
> set the default NetLabel domain mapping to send CIPSO tagged packets but also 
> create a new NetLabel domain mapping so that the ambient smack label causes 
> packets to be sent "unlabeled".  The only other change you would have to make 
> is to ensure that the NetLabel domain mappings are kept in sync with any 
> ambient label changes (should be easy enough and a rather infrequent 
> operation in practice).
> 
> This also should have the advantage of making your life easier if/when more 
> advanced labeled network controls are added to Smack (see the SELinux changes 
> made in 2.6.25 and our previous discussions).
> 


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: + smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree
  2008-02-07 20:04   ` + smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree Andrew Morton
@ 2008-02-07 20:14     ` Paul Moore
  2008-02-08  1:34       ` David Miller
  2008-02-08  1:33     ` David Miller
  2008-02-08 17:43     ` Paul Moore
  2 siblings, 1 reply; 8+ messages in thread
From: Paul Moore @ 2008-02-07 20:14 UTC (permalink / raw)
  To: Andrew Morton; +Cc: casey, davem, jmorris, mingo, sds, linux-kernel, netdev

On Thursday 07 February 2008 3:04:59 pm Andrew Morton wrote:
> On Thu, 7 Feb 2008 14:50:41 -0500
>
> Paul Moore <paul.moore@hp.com> wrote:
> > On Thursday 07 February 2008 2:02:06 pm akpm@linux-foundation.org wrote:
> > > The patch titled
> > >      Smack: unlabeled outgoing ambient packets
> > > has been added to the -mm tree.  Its filename is
> > >      smack-unlabeled-outgoing-ambient-packets.patch
> > >
> > > Before you just go and hit "reply", please:
> > >    a) Consider who else should be cc'ed
> > >    b) Prefer to cc a suitable mailing list as well
> > >    c) Ideally: find the original patch on the mailing list and do a
> > >       reply-to-all to that, adding suitable additional cc's
> >
> > I didn't see this patch hit any of the relevant mailing lists (am I
> > missing one somewhere?) so I'm just CC'ing everyone on the To/CC line,
> > minus mm-commits.
>
> It was on linux-kernel and netdev.  I've restored those cc's.

My apologies, those mailing list postings there haven't hit my inbox yet.

-- 
paul moore
linux security @ hp

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: + smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree
  2008-02-07 20:04   ` + smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree Andrew Morton
  2008-02-07 20:14     ` Paul Moore
@ 2008-02-08  1:33     ` David Miller
  2008-02-08 17:43     ` Paul Moore
  2 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2008-02-08  1:33 UTC (permalink / raw)
  To: akpm; +Cc: paul.moore, casey, jmorris, mingo, sds, linux-kernel, netdev

From: Andrew Morton <akpm@linux-foundation.org>
Date: Thu, 7 Feb 2008 12:04:59 -0800

> It was on linux-kernel and netdev.  I've restored those cc's.

Perhaps Paul missed it because his email address was bouncing with
"user unknown" errors a few days ago so he got removed from all the
mailing lists @ vger :-)

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: + smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree
  2008-02-07 20:14     ` Paul Moore
@ 2008-02-08  1:34       ` David Miller
  2008-02-08  1:54         ` Paul Moore
  0 siblings, 1 reply; 8+ messages in thread
From: David Miller @ 2008-02-08  1:34 UTC (permalink / raw)
  To: paul.moore; +Cc: akpm, casey, jmorris, mingo, sds, linux-kernel, netdev

From: Paul Moore <paul.moore@hp.com>
Date: Thu, 7 Feb 2008 15:14:34 -0500

> My apologies, those mailing list postings there haven't hit my inbox yet.

I had to remove you a few days ago, see my other reply to
Andrew.

You are back on the lists now, so I hope that bounce problem
has been solved.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: + smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree
  2008-02-08  1:34       ` David Miller
@ 2008-02-08  1:54         ` Paul Moore
  2008-02-08  2:15           ` David Miller
  0 siblings, 1 reply; 8+ messages in thread
From: Paul Moore @ 2008-02-08  1:54 UTC (permalink / raw)
  To: David Miller; +Cc: akpm, casey, jmorris, mingo, sds, linux-kernel, netdev

On Thursday 07 February 2008 8:34:02 pm David Miller wrote:
> From: Paul Moore <paul.moore@hp.com>
> Date: Thu, 7 Feb 2008 15:14:34 -0500
>
> > My apologies, those mailing list postings there haven't hit my inbox yet.
>
> I had to remove you a few days ago, see my other reply to
> Andrew.
>
> You are back on the lists now, so I hope that bounce problem
> has been solved.

Yeah, that discussion with Andrew made me look a bit deeper at my mail folders 
and I realized the last message I received from any of the vger.kernel.org 
mailing lists was late Tuesday night ... I thought Wednesday was awfully 
quiet :/

I have no idea what was causing the mail problem, probably somebody in our IT 
department playing around with some new knobs, oh well.  I resubscribed this 
afternoon with both fingers crossed.

-- 
paul moore
linux security @ hp

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: + smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree
  2008-02-08  1:54         ` Paul Moore
@ 2008-02-08  2:15           ` David Miller
  2008-02-08  2:21             ` Paul Moore
  0 siblings, 1 reply; 8+ messages in thread
From: David Miller @ 2008-02-08  2:15 UTC (permalink / raw)
  To: paul.moore; +Cc: akpm, casey, jmorris, mingo, sds, linux-kernel, netdev

From: Paul Moore <paul.moore@hp.com>
Date: Thu, 7 Feb 2008 20:54:56 -0500

> I have no idea what was causing the mail problem, probably somebody
> in our IT department playing around with some new knobs, oh well.  I
> resubscribed this afternoon with both fingers crossed.

In the future please contact postmaster@vger.kernel.org when you
notice you have been unsubscribed so we can work on fixing the
issue.

Blind resubscriptions are severely frowned upon, we remove you for
good reason and if the problem isn't solved you'll just soil up my
inbox further with bounces....

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: + smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree
  2008-02-08  2:15           ` David Miller
@ 2008-02-08  2:21             ` Paul Moore
  0 siblings, 0 replies; 8+ messages in thread
From: Paul Moore @ 2008-02-08  2:21 UTC (permalink / raw)
  To: David Miller; +Cc: akpm, casey, jmorris, mingo, sds, linux-kernel, netdev

On Thursday 07 February 2008 9:15:19 pm David Miller wrote:
> From: Paul Moore <paul.moore@hp.com>
> Date: Thu, 7 Feb 2008 20:54:56 -0500
>
> > I have no idea what was causing the mail problem, probably somebody
> > in our IT department playing around with some new knobs, oh well.  I
> > resubscribed this afternoon with both fingers crossed.
>
> In the future please contact postmaster@vger.kernel.org when you
> notice you have been unsubscribed so we can work on fixing the
> issue.
>
> Blind resubscriptions are severely frowned upon, we remove you for
> good reason and if the problem isn't solved you'll just soil up my
> inbox further with bounces....

Both points noted for future reference.  While the end result is the same, I 
can promise you my actions are not maliciously stupid, just ignorantly 
stupid ;)

-- 
paul moore
linux security @ hp

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: + smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree
  2008-02-07 20:04   ` + smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree Andrew Morton
  2008-02-07 20:14     ` Paul Moore
  2008-02-08  1:33     ` David Miller
@ 2008-02-08 17:43     ` Paul Moore
  2 siblings, 0 replies; 8+ messages in thread
From: Paul Moore @ 2008-02-08 17:43 UTC (permalink / raw)
  To: casey; +Cc: Andrew Morton, davem, jmorris, mingo, sds, linux-kernel, netdev

> > > ------------------------------------------------------
> > > Subject: Smack: unlabeled outgoing ambient packets
> > > From: Casey Schaufler <casey@schaufler-ca.com>
> > >
> > > Smack uses CIPSO labeling, but allows for unlabeled packets by
> > > specifying an "ambient" label that is applied to incoming
> > > unlabeled packets.  Because the other end of the connection may
> > > dislike IP options, and ssh is one know application that behaves
> > > thus ...

I forgot to mention this earlier, but RHEL/Fedora/Rawhide has a patched 
version of SSH (see RH bugzilla #202856 for the discussion/patch) that 
fixes the problem of IPv4 options causing SSH to reject the connection.  
It turns out that SSH is being a bit overzealous (rejecting all IPv4 
options) in trying to reject source-routed packets.

-- 
paul moore
linux security @ hp

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2008-02-08 17:44 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <200802071901.m17J1lAY016751@imap1.linux-foundation.org>
     [not found] ` <200802071450.41529.paul.moore@hp.com>
2008-02-07 20:04   ` + smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree Andrew Morton
2008-02-07 20:14     ` Paul Moore
2008-02-08  1:34       ` David Miller
2008-02-08  1:54         ` Paul Moore
2008-02-08  2:15           ` David Miller
2008-02-08  2:21             ` Paul Moore
2008-02-08  1:33     ` David Miller
2008-02-08 17:43     ` Paul Moore

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).