On 11/1/12 1:03 PM, "Bryan Hinton" <bryan@xxxxxxxxxxxxxxx> wrote: >Thomas, >You had mentioned that you are working with a piece of embedded hardware >that uses raw ethernet frames to communicate with another PC. >I had a few questions to better understand the problem. >Are you manually packing the MAC destination and MAC source address in >the ethernet frame? There is a library that is provided to us that handles the communication. I believe the library constructs the ethernet frame manually, including the MAC addresses. >Are you restricted to a specific medium - i.e. ethernet cable? Yes. The hardware dictates this. We do have the guarantee that the interface is direct connection between the PC and the embedded hardware. >Which embedded Linux distribution are you working with and which version >of the Linux kernel are you working with? The PC runs Red Hat Enterprise Linux 6. The OS on the other side is not known (to me). It is treated as a black box. >Have you explored the MAC filtering capabilities in iptables? I didn't think that iptables would actually be involved since the ethernet frames have no IP header in them. >Am I correct in assuming that you are trying to dynamically filter MAC >addresses? Not sure what is meant by the above. The goal is to limit what applications running on the system can communicate with the embedded hardware connected to the system. >If not, what parameters constitute a raw ethernet frame that should get >labeled? As above, I'm not sure I follow the question. I think the shortest answer I can provide is that this hardware has a protocol that is used in place of IP, and we need to do some filtering to enforce the security property outlined above (only application X can communicate with the hardware). > >Also, labeling the network interface per prior suggestions sounds like a >good idea but was curious regarding the above questions. I think that is the route we have decided on. On the off chance that we test out the connection and iptables will actually identify the traffic, I might consider that, but given the other constraints (e.g. The connection is a dedicated connection between the system and the embedded device) I think the interface labeling will work fine. > >Bryan Hinton > >________________________________________ >From: owner-selinux@xxxxxxxxxxxxx [owner-selinux@xxxxxxxxxxxxx] on behalf >of Paul Moore [paul@xxxxxxxxxxxxxx] >Sent: Thursday, November 01, 2012 8:58 AM >To: Moyer, Thomas - 0668 - MITLL >Cc: selinux@xxxxxxxxxxxxx >Subject: Re: Question about SELinux capability > >On Wednesday, October 31, 2012 08:24:21 AM Moyer, Thomas - 0668 - MITLL >wrote: >> Yes. That is correct. What I am looking at though is a piece of hardware >> that does not use IP (or TCP and UDP for that matter). Instead, they >> implement their own protocol at the IP layer. So any traffic coming from >> the hardware (to the system that I am writing policy for) and any >>traffic >> being sent to that machine uses a raw socket to communicate (no IP at >> all). I briefly looked at ebtables, but it doesn't appear to have the >>same >> type of SECMARK support that I would use with iptables. > >I think I misunderstood your original question; I thought you were >interested >in labeling the ethernet frames on the wire while it sounds like you are >only >interested in assigning labels to the network traffic once it has been >received by the system - yes? > >> I think the best solution that I have come up with is to label the >>network >> interface used to communicate with the hardware, and then only allow the >> domain being confined to create sockets and bind to that interface. > >I assume you are talking about the ingress/egress controls? > >If so, a word of caution, they *may* not catch non-IP traffic due to they >way >they are hooked into the network stack. I'd be interested in hearing what >happens in your case. > >> >On Friday, October 26, 2012 04:08:15 PM Moyer, Thomas - 0668 - MITLL >> > >> >wrote: >> >> I am working with a piece of embedded hardware that uses raw ethernet >> >> frames to communicate with another (standard PC). Is it possible to >>apply >> >> SELinux labels to those ethernet frames like you can with IP packets >> >> using iptables and SECMARK? >> > >> >The secmark/iptables labels never leave the local system, they are >> >maintained only within the kernel and do not travel out over the wire. >> If >> >you are interested in communicating security label over the network >>your >> >only options at present require an IP header at the very least. > >-- >paul moore >www.paul-moore.com > > >-- >This message was distributed to subscribers of the selinux mailing list. >If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx >with >the words "unsubscribe selinux" without quotes as the message. > > -- Thomas Moyer, Technical Staff voice: (781) 981-1374 Cyber Systems Technology Group mobile: (857) 268-0493 MIT Lincoln Laboratory email: thomas.moyer@xxxxxxxxxx 244 Wood Street Lexington, MA 02420
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
