On Thu, May 4, 2023 at 9:00 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > On 5/4/2023 9:11 AM, Roberto Sassu wrote: > > Hi Casey > > > > while developing the fix for overlayfs, I tried first to address the > > issue of a NFS filesystem failing to mount. > > > > The NFS server does not like the packets sent by the client: > > > > 14:52:20.827208 IP (tos 0x0, ttl 64, id 60628, offset 0, flags [DF], proto TCP (6), length 72, options (unknown 134,EOL)) > > localhost.localdomain.omginitialrefs > _gateway.nfs: Flags [S], cksum 0x7618 (incorrect -> 0xa18c), seq 455337903, win 64240, options [mss 1460,sackOK,TS val 2178524519 ecr 0,nop,wscale 7], length 0 > > 14:52:20.827376 IP (tos 0xc0, ttl 64, id 5906, offset 0, flags [none], proto ICMP (1), length 112, options (unknown 134,EOL)) > > _gateway > localhost.localdomain: ICMP parameter problem - octet 22, length 80 > > > > I looked at the possible causes. SELinux works properly. > > SELinux was the reference LSM implementation for labeled networking. > > > What it seems to happen is that there is a default netlabel mapping, > > that is used to send the packets out. > > Correct. SELinux only uses CIPSO options for MLS. SELinux can use the NetLabel/CIPSO "local" configuration to send a full SELinux labels over a loopback connection. * https://www.paul-moore.com/blog/d/2012/06/cipso_loopback_full_labels.html There are several differences between how SELinux and Smack implement labeled networking, one of the larger differences is that SELinux leaves the labeling configuration, e.g. which networks/interfaces are labeled and how, as a separate exercise for the admin whereas the labeling configuration is much more integrated with Smack. I wouldn't say one approach is better than the other, they are simply different. The SELinux approach provides for the greatest amount of flexibility with the understanding that more work needs to be done by the admin. The Smack approach provides a quicker path to getting a system up and running, but it is less flexible for challenging/mixed network environments. There are other issues around handling IPv6, the sockets-as-objects debate, etc. but those shouldn't be relevant to this discussion. -- paul-moore.com
