[ Resending -- my email was HTML and got rejected. Sorry for two emails, Paul :) ] On Sun, Apr 18, 2021 at 5:19 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > On Sun, Apr 18, 2021 at 4:02 PM Paul R. Tagliamonte <paultag@xxxxxxxxx> wrote: > > Hello SELinux folks, > > Hello fellow Paul. Ah! Paul! A true pleasure -- and thanks again for all your documentation! I wouldn't be nearly as far as I am without you. I hope you know how many of us out here are very grateful for your tireless work, Paul! > I'll admit to being a bit biased, but yeah, it is pretty cool ;) > > However, there are a few words of caution I should share. First, you > will want to make sure that you protect your IPv4 header if you are > sending CIPSO traffic across an untrusted network. Second, you need > to make sure that any of your network hops/middle-boxes don't strip > IPv4 options; if they do, you'll lose your CIPSO labels. The good > news is that in both cases encapsulating your network traffic in a VPN > or some other form of protected tunnel should solve both problems. If > you use IPv6, CALIPSO has similar concerns, although due to the nature > of CALIPSO and IPv6 the middle-box problem shouldn't really be an > issue. Understood on all counts, thank you very much! > There is also labeled IPsec, but it is SELinux only and if you don't > carefully synchronize your policies across nodes you can get into some > odd/dangerous situations. People really like labeled IPsec because > you can transmit the full SELinux label over the wire and not just the > MLS/MCS information, but it's a bad design IMHO; you're better off > with CIPSO/CALIPS+IPsec if you can get by with just the MLS/MCS > information. Got it. That's super helpful, thanks. > You didn't mention what distro and/or policy you are using (other than > MCS), but my guess is you are running into a situation where the > SELinux policy constraints are not set as expected. I know in the > past the MCS labeled networking constraints were a bit lax, even > outright missing at one point, so that would be a good place to start. I'm running Debian sid -- which I am fully eyes-open about how stale and/or actively busted our policy is. I don't think too many people have MCS configured on their systems, so it's not going to be a huge shock to me when this is part of the root cause here. I have a pile of stuff I'm loading in even to get stuff to where I'm at now, and I think long-term I'll likely try to start agitating on ways to get Debian's policy a bit more up to date. That's a windmill for another day, though, I think. Our SELinux maintainers work very hard and I don't want to add work for them without being able to pitch in. I've uploaded netlabel-tools to Debian[1] back in October, and I've been playing a bit with netlabel on my home network (both to get better at SELinux generally an CIPSO/CALIPSO/NetLabel specifically) so I can effectively triage/debug issues in Debian. I know basically no one is in the same boat as me, and I'm OK with that :) > However, since most people are a bit lost when it comes to policy > constraints, let me introduce you to The SELinux Notebook: > > * https://github.com/SELinuxProject/selinux-notebook > > ... it is an *amazing* freely available resource, that I would > encourage you to take a look at if you haven't already. It's source > material is in GitHub friendly Markdown, and you can render it into > HTML and PDF if you like using the provided Makefile. The Notebook > has a section on policy constraints where it provides some expalantion > of the "mlscontrain" statement, which I believe is where your problem > lies: Amazing. Lovely. Thank you! I will be sure to go through this and work through issues as I find them. Thanks for the pointer, I hadn't found this yet! > * https://github.com/SELinuxProject/selinux-notebook/blob/main/src/constraint_statements.md > * https://github.com/SELinuxProject/selinux-notebook/blob/main/src/constraint_statements.md#mlsconstrain > > ... from there it is a matter of inspecting your policy to see what it > specifies for the MLS/MCS network controls - good luck! Perfect. Thanks, Paul! [Mirror Universe] Paul > -- > paul moore > www.paul-moore.com [1]: https://tracker.debian.org/pkg/netlabel-tools -- :wq
