8

I'm interested in how SELinux effects the processing of packets through the networking stack. I've found the following questions and answers:

Network policies under AppArmor/SELinux
Filtering network access on a user/group/process basis

The first seems to imply that SELinux can tag packets (kind of like tagging VLANs), and processing can differ depending on the tags associated with the packets. This makes sense to me. However, the second question is asking about network access via user groups and access controls. It's unclear based on the answer and comments if this is true, or how it's possible.

When reading through the Linux Kernel source code (2.6.16, I know its old but a lot of embedded devices still use 2.6), you come across the file /security/selinux/hooks.c. This has functions like selinux_parse_skb_ipv4, selinux_socket_create, selinux_socket_bind, etc.

My questions are:

  1. Can someone clear up the second question for me? Either by actually answering that question, or answering it here.
  2. Does SELinux affect the network stack in any other ways?
  3. With functions like the ones listed above, is SELinux used to create the abstract concept of a "secure socket"? Much like the Windows API provides function calls to create "secure sockets".
Community
  • 1
RoraΖ
  • 12,317
  • 4
  • 51
  • 83
  • It appears there are a couple of methods of enabling SELinux packet labeling. This should help you understand that choice... http://selinuxproject.org/page/NB_Networking Please understand that CIPSO label is an option for adding information to packets but not in itself protection from outside observers. – zedman9991 Mar 17 '15 at 16:00

1 Answers1

1

Access can be controlled for local processes accessing local network assets like for example network ports. By associating labels with port objects and userids, groupids associated with processes (even individual processes, allowing you to specify whether and how an entities associated with particular labels can operate on or interact with entities associated with particular labels. This is generally pretty solid. With the exception that no access control is enforced for binding sockets to ephemeral ports.

Alternately secmark allows one to associate labels with "non" local assets as they come in or go out using the netfilter security table. So the labels only apply inside the system. (for example. a packet comes in unlabeled, gets associated with a label using netfilter and then you can specify rules how other local entities associated with particular labels can operate on the labeled packets). This is a local solution using netfilter.

Really associating labels with packets as they traverse the network can be done with netlabel or ipsec. This is used to enforce confidentiality on "trusted" networks. Ipsec is preferred for this i believe rather than netlabel (Multi level security).

SELinux is generally not the optimal tool to enforce controls on the network. Other technologies are generally a better solution. Except if you want to enforce confidentiality on trusted networks.

Generally the idea is that SELinux allows you to associate security labels with many entities, ranging from individual users groups of users, or even individual processes to local and non-local assets such as for example files and network nodes.

I am aware that this does not answer the question and that my information is not fully accurate, and is certainly not comprehensive, but it is something.

joe
  • 69
  • 2
  • You're the only one who tried. Thanks for your effort -- this is a starting point for research. – Ohnana Mar 23 '15 at 12:14