Documentation on Enabling NetLabel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hey SELinux folks,

Sorry for the second email in no time, but I'm a bit stuck and could use
some pointers to continue my quest to get NetLabel working on a Debian
VM, and send patches to make it easier for others in the future :)

I have SELinux and MLS working (even to some degree whilst enforcing!)
in a VM, generally speaking. I can ssh in and do normal things. The
rules need a bit more love, but it's in a fine state that I'm happy
working from.

I've been able to set up NetLabel to attach a security connect to
connections (nice!) that show up when querying the peer context, but switching
from permissive to `1` results in dropped traffic.

I'm sure this is likely the result of (correct!) filtering going on, and
because it's now gone from no context to a context, traffic is likely
getting filtered out. I don't see anything in audit2why in permissive
mode, but I also don't know if invalid network activity is logged.

I've tried tcpdump on the host, to no avail. I see packets going in, and
not much coming out. I've kept the kernel on the VM host on a version that
doesn't have NETLABEL enabled, in an effort to not have the host kernel get
in the way.

Specifically, I've tried:

```
netlabelctl cipsov4 add local doi:2
netlabelctl unlbl accept on

netlabelctl map del default
netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
netlabelctl map add default address:::/0 protocol:unlbl
netlabelctl map add default address:10.128.0.0/24 protocol:unlbl
netlabelctl map add default address:127.0.0.1 protocol:cipsov4,2
```


On localhost, I can't connect to any running daemons (such as SSH), and
I've specifically not added the NIC that is bridged to my LAN (in a maybe
misguided attempt to keep traffic from the LAN unmarked) to any netlabel
rules. I was also unable to connect to the OpenSSH server via the
network IP either.

When enforcing without running the above netlabel commands, I can ssh into the
box successfully.

Thanks for any help anyone can provide, and thank you all very much for
being so helpful for my last question!

    paultag

-- 
 .''`.  Paul Tagliamonte <paultag@xxxxxxxxxx>
: :'  : Proud Debian Developer
`. `'`  4096R / FEF2 EB20 16E6 A856 B98C E820 2DCD 6B5D E858 ADF3
 `-     http://people.debian.org/~paultag

Attachment: signature.asc
Description: PGP signature

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux