LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

Shumway lands in Firefox

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Netlabel: CIPSO labeling for Linux

October 18, 2006

This article was contributed by Jake Edge.

Current kernel level security mechanisms, such as SELinux, are focused strictly on securing local resources and are not concerned with communicating any security information to other machines on the network. The NetLabel project aims to change that by providing packet labeling capabilities for the kernel. The initial implementation, with support for Common IP Security Option (CIPSO) labeling has been included into the 2.6.19 kernel.

CIPSO is an IETF draft that has been adopted by a number of vendors and is one of several network labeling standards that are used by 'trusted' operating systems. In order to interoperate with these systems and to replace them, Linux needs to be able to provide the same capabilities.

At its core, CIPSO is an agreement between systems on a set of labels (or tags) describing the security level or context of the process that is sending the packets. CIPSO users define a 'domain of interpretation' (DOI) that governs the interpretation of those tags so that both ends of the conversation can determine if the other process has the authorization necessary to do that communication. The DOI and labels are placed into the options portion of every IP packet that is sent and, based on those values, security requirements can be enforced at the kernel level. If a process attempts to communicate outside of its authorized scope, the kernel can drop the packet.

NetLabel is a mechanism to put CIPSO information into outgoing packets and to examine incoming packets for their tags. It uses the Linux Security Module (LSM) hooks to implement the labeling and checking. It also interfaces with SELinux to provide label information based on the SELinux context. Incoming sockets get a context that is based on the CIPSO tag and the context of the listening socket. In this way, access to specific services can be restricted to remote processes with the proper authorization.

Management of NetLabel is handled through the netlink socket interface; user space tools to configure it are available from the project page. The complexity of configuring NetLabel and SELinux is likely to be daunting to the uninitiated, but for those installations that already use CIPSO, it should be relatively straightforward.

NetLabel's design goals include a well contained implementation that uses existing kernel hooks as well as minimal performance impact when enabled but not configured. By running the gauntlet of kernel developers and getting included into the kernel, NetLabel has likely met both of those goals. The current implementation provides minimal CIPSO support, just one tag type and none of the configuration parameters, but support for this additional functionality is planned as is support for additional labeling protocols.

CIPSO and NetLabel are not for everyone, in fact, they are likely to be much less widely adopted than SELinux. CIPSO only works on very strictly controlled networks as there is nothing in the specification that prevents unauthorized machines from claiming authorization; the system and router configuration must prevent that kind of behavior. In addition, it provides yet another configuration challenge for administrators to get through before their systems will perform correctly. But for those installations that do need it, this work and its future additions should be very well received.

(Log in to post comments)

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds