On 11/1/12 11:58 AM, "Paul Moore" <paul@xxxxxxxxxxxxxx> wrote: >On Wednesday, October 31, 2012 08:24:21 AM Moyer, Thomas - 0668 - MITLL >wrote: >> Yes. That is correct. What I am looking at though is a piece of hardware >> that does not use IP (or TCP and UDP for that matter). Instead, they >> implement their own protocol at the IP layer. So any traffic coming from >> the hardware (to the system that I am writing policy for) and any >>traffic >> being sent to that machine uses a raw socket to communicate (no IP at >> all). I briefly looked at ebtables, but it doesn't appear to have the >>same >> type of SECMARK support that I would use with iptables. > >I think I misunderstood your original question; I thought you were >interested >in labeling the ethernet frames on the wire while it sounds like you are >only >interested in assigning labels to the network traffic once it has been >received by the system - yes? Correct. > >> I think the best solution that I have come up with is to label the >>network >> interface used to communicate with the hardware, and then only allow the >> domain being confined to create sockets and bind to that interface. > >I assume you are talking about the ingress/egress controls? Also correct. > >If so, a word of caution, they *may* not catch non-IP traffic due to they >way >they are hooked into the network stack. I'd be interested in hearing >what >happens in your case. We are trying to ensure that only specific applications running on the system can communicate with the embedded hardware. One way to do this is to filter network traffic. At least the "easiest" that I could identify. > >> >On Friday, October 26, 2012 04:08:15 PM Moyer, Thomas - 0668 - MITLL >> > >> >wrote: >> >> I am working with a piece of embedded hardware that uses raw ethernet >> >> frames to communicate with another (standard PC). Is it possible to >>apply >> >> SELinux labels to those ethernet frames like you can with IP packets >> >> using iptables and SECMARK? >> > >> >The secmark/iptables labels never leave the local system, they are >> >maintained only within the kernel and do not travel out over the wire. >> If >> >you are interested in communicating security label over the network >>your >> >only options at present require an IP header at the very least. > >-- >paul moore >www.paul-moore.com > -- Thomas Moyer, Technical Staff voice: (781) 981-1374 Cyber Systems Technology Group mobile: (857) 268-0493 MIT Lincoln Laboratory email: thomas.moyer@xxxxxxxxxx 244 Wood Street Lexington, MA 02420
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
