|| ||James Morris <firstname.lastname@example.org>|
|| ||[RFC] SECMARK 1.0|
|| ||Sun, 7 May 2006 11:31:38 -0400 (EDT)|
|| ||email@example.com, firstname.lastname@example.org,
Stephen Smalley <email@example.com>,
Daniel J Walsh <firstname.lastname@example.org>|
The following patchsets implement a new scheme for adding security
markings to packets via iptables, as well as changes to SELinux to use
these markings for security policy enforcement.
Along with these patches, assorted files including policy examples and
patches for SELinux userland may be found at:
The requirements for secmark arise from the current per-packet network
controls in SELinux, which are rudimentary, and not as expressive or
powerful as the controls provided by Netfilter/iptables.
Thus, the idea is to leverage Netfilter/iptables for packet selection and
labeling, so that SELinux can have more powerful and expressive network
controls. This also allows for increased security, as the policy is more
effective, allowing access to the full range of iptables selectors and
For example, SELinux will now be able to utilize connection tracking, so
that only packets which are known to be valid for a specific connection
will be allowed to reach the subject.
Sample iptables rules for labeling packets are at:
And examples of new policy controls may be found here:
The sample policy for ftpd demonstrates how the vsftpd server can be
confined so that it only receives SYN packets on the ftp control port for
new connections, as well as any packets related to the ftp control or data
connections and related ICMP packets. It is also allowed to send DNS
Note that only the per-packet network controls are being replaced -- the
existing socket-based controls such as name_bind, node_bind and
name_connect are being retained as they are useful for applications in
that they return error messages in response to socket calls, and prevent,
for example, an application from binding to specific local IP addresses.
Also, this local packet marking is orthogonal to the xfrm network labeling
(which is for mediating access based on the security context of the
endpoints across a network connection).
Please review these patches and let me know if there are any queries.
I would like to get the kernel components upstream in the 2.6.18 merge
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to email@example.com
More majordomo info at http://vger.kernel.org/majordomo-info.html