Re: kernel_t and rawip

Ken <mantaray_1@xxxxxxx> · Fri, 25 May 2007 11:53:56 -0700

I inadvertently sent this to cpebenito@xxxxxxxxxx rather than to the 
list.  Here it is for the list:

Christopher J. PeBenito wrote:
> On Wed, 2007-05-23 at 15:11 -0700, Ken wrote:
>> I became interested in SELinux primarily to increase the level of 
security I have when I am connected to the Internet, and until recently 
I have not allowed kernel_t to send or receive rawip over the Internet. 
  I have recently allowed this because I was having difficulty making 
an online payment without this enabled.  Since enabling this, I have 
wondered what the security implications of allowing kernel_t to send and 
receive rawip on the Internet are;
>
> Its normal behavior, the kernel needs the permission so can handle ICMP
> traffic, e.g. ping replies, destination unreachable, etc.
>
    I am aware of ICMP traffic, but even the best programs and 
protocols can be unexpectedly vulnerable to exploitation; and from a 
logical perspective, I have (completely and unconditionally) opened my 
system to allow a particular type of communication with outside 
connections -- at least with respect to SELinux.  My interest is in 
learning what the logical limits are with respect to what can be sent 
and received as rawip to and from kernel_t; and what the limitations of 
what can be done with the data are.  I was hoping there is a document 
compiled somewhere that provides this (and similar) information.

- Ken -

--- Begin Message ---

To: "Christopher J. PeBenito" <cpebenito@xxxxxxxxxx>
Subject: Re: kernel_t and rawip
From: Ken <mantaray_1@xxxxxxx>
Date: Fri, 25 May 2007 11:47:09 -0700
In-reply-to: <1180018489.10995.70.camel@xxxxxxxxxxxxxxxxxxxxxxx>
References: <4654BC1D.9010104@xxxxxxx>	<1180018489.10995.70.camel@xxxxxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;	rv:1.8.1.2) Gecko/20070501 SeaMonkey/1.1.1

Christopher J. PeBenito wrote:
On Wed, 2007-05-23 at 15:11 -0700, Ken wrote:
I became interested in SELinux primarily to increase the level of 
security I have when I am connected to the Internet, and until recently 
I have not allowed kernel_t to send or receive rawip over the Internet. 
  I have recently allowed this because I was having difficulty making an 
online payment without this enabled.  Since enabling this, I have 
wondered what the security implications of allowing kernel_t to send and 
receive rawip on the Internet are;

Its normal behavior, the kernel needs the permission so can handle ICMP
traffic, e.g. ping replies, destination unreachable, etc.

	I am aware of ICMP traffic, but even the best programs and protocols 
can be unexpectedly vulnerable to exploitation; and from a logical 
perspective, I have (completely and unconditionally) opened my system to 
allow a particular type of communication with outside connections -- at 
least with respect to SELinux.  My interest is in learning what the 
logical limits are with respect to what can be sent and received as 
rawip to and from kernel_t; and what the limitations of what can be done 
with the data are.  I was hoping there is a document compiled somewhere 
that provides this (and similar) information.

- Ken -

--- End Message ---
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list