http://arctic.selinuxproject.org/w/?title=NB_Networking&feed=atom&action=history NB Networking - Revision history 2024-03-28T20:35:40Z Revision history for this page on the wiki MediaWiki 1.23.13 http://arctic.selinuxproject.org/w/?title=NB_Networking&diff=1797&oldid=prev RichardHaines: /* SELinux Networking Support */ 2015-09-25T14:01:19Z <p>‎<span dir="auto"><span class="autocomment">SELinux Networking Support</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 14:01, 25 September 2015</td> </tr><tr><td colspan="2" class="diff-lineno">Line 5:</td> <td colspan="2" class="diff-lineno">Line 5:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>There are two policy capability options that can be set within policy using the &lt;tt&gt;policycap&lt;/tt&gt; statement that affect networking configuration:</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>There are two policy capability options that can be set within policy using the &lt;tt&gt;policycap&lt;/tt&gt; statement that affect networking configuration:</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>: '''network_peer_controls''' - This is always enabled in the latest Reference Policy source. The [http://<del class="diffchange diffchange-inline">taiga.</del>selinuxproject.org/~rhaines/NB4-diagrams/14-fallback.png Fallback Labeling] diagram shows the differences between the policy capability being set to 0 and 1.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>: '''network_peer_controls''' - This is always enabled in the latest Reference Policy source. The [http://selinuxproject.org/~rhaines/NB4-diagrams/14-fallback.png Fallback Labeling] diagram shows the differences between the policy capability being set to 0 and 1.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>: '''always_use_network''' - This capability would normally be set to false. If true SECMARK and NetLabel peer labeling are always enabled even if there are no SECMARK, NetLabel or Labeled IPsec rules configured. This forces checking of the &lt;tt&gt;packet&lt;/tt&gt; class to protect the system should any rules fail to load or they get maliciously flushed. Requires kernel 3.13 minimum.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>: '''always_use_network''' - This capability would normally be set to false. If true SECMARK and NetLabel peer labeling are always enabled even if there are no SECMARK, NetLabel or Labeled IPsec rules configured. This forces checking of the &lt;tt&gt;packet&lt;/tt&gt; class to protect the system should any rules fail to load or they get maliciously flushed. Requires kernel 3.13 minimum.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td colspan="2" class="diff-lineno">Line 34:</td> <td colspan="2" class="diff-lineno">Line 34:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The NetFilter framework inspects and tag packets with labels as defined within '''iptables'''(8) and then uses the security framework (e.g. SELinux) to enforce the policy rules. Therefore SECMARK services are not SELinux specific as other security modules using the LSM infrastructure could also implement the same services (e.g. SMACK).</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The NetFilter framework inspects and tag packets with labels as defined within '''iptables'''(8) and then uses the security framework (e.g. SELinux) to enforce the policy rules. Therefore SECMARK services are not SELinux specific as other security modules using the LSM infrastructure could also implement the same services (e.g. SMACK).</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>While the implementation of iptables / NetFilter is beyond the scope of this Notebook, there are tutorials available&lt;ref name=&quot;ftn16&quot;&gt;&lt;sup&gt;There is a very good tutorial at [http://www.frozentux.net/documents/iptables-tutorial/ http://www.frozentux.net/documents/iptables-tutorial/], however it does not cover the security table that was introduced by: [http://lwn.net/Articles/267140/ http://lwn.net/Articles/267140/]. It is still possible to use the 'mangle table' to hold security labels.&lt;/sup&gt;&lt;/ref&gt;. The [http://<del class="diffchange diffchange-inline">taiga.</del>selinuxproject.org/~rhaines/NB4-diagrams/13-secmark.png SECMARK Processing] diagram shows the basic structure with the process working as follows:</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>While the implementation of iptables / NetFilter is beyond the scope of this Notebook, there are tutorials available&lt;ref name=&quot;ftn16&quot;&gt;&lt;sup&gt;There is a very good tutorial at [http://www.frozentux.net/documents/iptables-tutorial/ http://www.frozentux.net/documents/iptables-tutorial/], however it does not cover the security table that was introduced by: [http://lwn.net/Articles/267140/ http://lwn.net/Articles/267140/]. It is still possible to use the 'mangle table' to hold security labels.&lt;/sup&gt;&lt;/ref&gt;. The [http://selinuxproject.org/~rhaines/NB4-diagrams/13-secmark.png SECMARK Processing] diagram shows the basic structure with the process working as follows:</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* A table called the 'security table' is used to define the parameters that identify and 'mark' packets that can then be tracked as the packet travels through the networking sub-system. These 'marks' are called SECMARK and CONNSECMARK.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* A table called the 'security table' is used to define the parameters that identify and 'mark' packets that can then be tracked as the packet travels through the networking sub-system. These 'marks' are called SECMARK and CONNSECMARK.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* A SECMARK is placed against a packet if it matches an entry in the security table applying a label that can then be used to enforce policy on the packet.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* A SECMARK is placed against a packet if it matches an entry in the security table applying a label that can then be used to enforce policy on the packet.</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 86:</td> <td colspan="2" class="diff-lineno">Line 86:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The example message filter has an optional module that makes use of fallback labels and can be found in the Notebook source tarball.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The example message filter has an optional module that makes use of fallback labels and can be found in the Notebook source tarball.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The network peer controls have been extended to support an additional object class of 'peer' that is enabled by default in the F-20 policy as the network_peer_controls in &lt;tt&gt;/sys/fs/selinux/policy_capabilities&lt;/tt&gt; is set to '&lt;tt&gt;1&lt;/tt&gt;'. The [http://<del class="diffchange diffchange-inline">taiga.</del>selinuxproject.org/~rhaines/NB4-diagrams/14-fallback.png Fallback Labeling] diagram shows the differences between the policy capability network_peer_controls being set to 0 and 1.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The network peer controls have been extended to support an additional object class of 'peer' that is enabled by default in the F-20 policy as the network_peer_controls in &lt;tt&gt;/sys/fs/selinux/policy_capabilities&lt;/tt&gt; is set to '&lt;tt&gt;1&lt;/tt&gt;'. The [http://selinuxproject.org/~rhaines/NB4-diagrams/14-fallback.png Fallback Labeling] diagram shows the differences between the policy capability network_peer_controls being set to 0 and 1.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== NetLabel - CIPSO ==</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== NetLabel - CIPSO ==</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 95:</td> <td colspan="2" class="diff-lineno">Line 95:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The protocol is implemented by the NetLabel service (see &lt;tt&gt;'''netlabelctl'''(8)&lt;/tt&gt;) and can be used by other security modules that use the LSM infrastructure. The NetLabel implementation supports:</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The protocol is implemented by the NetLabel service (see &lt;tt&gt;'''netlabelctl'''(8)&lt;/tt&gt;) and can be used by other security modules that use the LSM infrastructure. The NetLabel implementation supports:</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># Tag Type 1 bit mapped format that allows a maximum of 256 sensitivity levels and 240 categories to be mapped.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># Tag Type 1 bit mapped format that allows a maximum of 256 sensitivity levels and 240 categories to be mapped.</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># A non-translation option where labels are passed to / from systems unchanged (for host to host communications as show in the [http://<del class="diffchange diffchange-inline">taiga.</del>selinuxproject.org/~rhaines/NB4-diagrams/15-mls1.png MLS Systems on the same network] diagram).</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># A non-translation option where labels are passed to / from systems unchanged (for host to host communications as show in the [http://selinuxproject.org/~rhaines/NB4-diagrams/15-mls1.png MLS Systems on the same network] diagram).</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># A translation option where both the sensitivity and category components can be mapped for systems that have either different definitions for labels or information can be exchanged over different networks (for example using an SELinux enabled gateway as a guard as shown in the [http://<del class="diffchange diffchange-inline">taiga.</del>selinuxproject.org/~rhaines/NB4-diagrams/16-mls2.png MLS Systems on different networks communicating via a gateway] diagram).</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># A translation option where both the sensitivity and category components can be mapped for systems that have either different definitions for labels or information can be exchanged over different networks (for example using an SELinux enabled gateway as a guard as shown in the [http://selinuxproject.org/~rhaines/NB4-diagrams/16-mls2.png MLS Systems on different networks communicating via a gateway] diagram).</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Labeled IPSec ==</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Labeled IPSec ==</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Labeled IPSec has been built into the standard GNU / Linux IPSec services as described in the &quot;[http://nsrc.cse.psu.edu/tech_report/NAS-TR-0037-2006.pdf Leveraging IPSec for Distributed Authorization]. the [http://<del class="diffchange diffchange-inline">taiga.</del>selinuxproject.org/~rhaines/NB4-diagrams/17-ipsec.png IPSec communications] diagram shows the basic components that form the service based on IPSec tools where it is generally used to set up either an encrypted tunnel between two machines&lt;ref name=&quot;ftn20&quot;&gt;&lt;sup&gt;Also known as a virtual private network (VPN).&lt;/sup&gt;&lt;/ref&gt; or an encrypted transport session. The extensions defined in describe how the security context is configured and negotiated between the two systems (called security associations (SAs) in IPSec terminology).</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Labeled IPSec has been built into the standard GNU / Linux IPSec services as described in the &quot;[http://nsrc.cse.psu.edu/tech_report/NAS-TR-0037-2006.pdf Leveraging IPSec for Distributed Authorization]. the [http://selinuxproject.org/~rhaines/NB4-diagrams/17-ipsec.png IPSec communications] diagram shows the basic components that form the service based on IPSec tools where it is generally used to set up either an encrypted tunnel between two machines&lt;ref name=&quot;ftn20&quot;&gt;&lt;sup&gt;Also known as a virtual private network (VPN).&lt;/sup&gt;&lt;/ref&gt; or an encrypted transport session. The extensions defined in describe how the security context is configured and negotiated between the two systems (called security associations (SAs) in IPSec terminology).</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Basically what happens is as follows&lt;ref name=&quot;ftn21&quot;&gt;&lt;sup&gt;There is an “IPSec HOWTO&quot; at [http://www.ipsec-howto.org/ http://www.ipsec-howto.org] that gives the gory details, however it does not cover Labeled IPSec.&lt;/sup&gt;&lt;/ref&gt;:</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Basically what happens is as follows&lt;ref name=&quot;ftn21&quot;&gt;&lt;sup&gt;There is an “IPSec HOWTO&quot; at [http://www.ipsec-howto.org/ http://www.ipsec-howto.org] that gives the gory details, however it does not cover Labeled IPSec.&lt;/sup&gt;&lt;/ref&gt;:</div></td></tr> </table> RichardHaines http://arctic.selinuxproject.org/w/?title=NB_Networking&diff=1716&oldid=prev RichardHaines at 15:06, 7 December 2014 2014-12-07T15:06:41Z <p></p> <a href="http://arctic.selinuxproject.org/w/?title=NB_Networking&amp;diff=1716&amp;oldid=1029">Show changes</a> RichardHaines http://arctic.selinuxproject.org/w/?title=NB_Networking&diff=1029&oldid=prev Jaxelson at 20:47, 13 September 2010 2010-09-13T20:47:25Z <p></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 20:47, 13 September 2010</td> </tr><tr><td colspan="2" class="diff-lineno">Line 142:</td> <td colspan="2" class="diff-lineno">Line 142:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>----</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>----</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;references/&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;references/&gt;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">[[Category:Notebook]]</ins></div></td></tr> </table> Jaxelson http://arctic.selinuxproject.org/w/?title=NB_Networking&diff=962&oldid=prev RichardHaines at 14:22, 18 May 2010 2010-05-18T14:22:43Z <p></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 14:22, 18 May 2010</td> </tr><tr><td colspan="2" class="diff-lineno">Line 91:</td> <td colspan="2" class="diff-lineno">Line 91:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>A worked example of a Labeled IPSec session showing manual and racoon&lt;ref name=&quot;ftn26&quot;<del class="diffchange diffchange-inline">&gt;&lt;sup</del>&gt;Unfortunately racoon core dumps using the example base module decribed in volume 2 but does work using the standard Red Hat targeted policy.<del class="diffchange diffchange-inline">&lt;/sup&gt;</del>&lt;/ref&gt; to configure the SAD is described in the Labeled IPSec Module Example section of the Sample Policy Source volume.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>A worked example of a Labeled IPSec session showing manual and racoon&lt;ref name=&quot;ftn26&quot;&gt;Unfortunately racoon core dumps using the example base module decribed in volume 2 but does work using the standard Red Hat targeted policy.&lt;/ref&gt; to configure the SAD is described in the Labeled IPSec Module Example section of the Sample Policy Source volume.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>There is a further example in the &quot;[http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/ Secure Networking with SELinux]&quot; article.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>There is a further example in the &quot;[http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/ Secure Networking with SELinux]&quot; article.</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 124:</td> <td colspan="2" class="diff-lineno">Line 124:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>To manually load the above configuration file to populate the SPD and SAD&lt;ref name=&quot;ftn27&quot;<del class="diffchange diffchange-inline">&gt;&lt;sup</del>&gt;If using racoon, the SAs would be negotiated using information from the SPD on each machine, with the SAD then being populated by racoon calling the setkey services.<del class="diffchange diffchange-inline">&lt;/sup&gt;</del>&lt;/ref&gt; the following command would be used:</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>To manually load the above configuration file to populate the SPD and SAD&lt;ref name=&quot;ftn27&quot;&gt;If using racoon, the SAs would be negotiated using information from the SPD on each machine, with the SAD then being populated by racoon calling the setkey services.&lt;/ref&gt; the following command would be used:</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>setkey -f &lt;SPD_configuration_file&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>setkey -f &lt;SPD_configuration_file&gt;</div></td></tr> </table> RichardHaines http://arctic.selinuxproject.org/w/?title=NB_Networking&diff=961&oldid=prev RichardHaines: New page: = SELinux Networking Support = SELinux supports the following types of network labeling: '''Internal labeling''' - This is where network objects are labeled and managed internally within ... 2010-05-18T14:19:40Z <p>New page: = SELinux Networking Support = SELinux supports the following types of network labeling: &#039;&#039;&#039;Internal labeling&#039;&#039;&#039; - This is where network objects are labeled and managed internally within ...</p> <p><b>New page</b></p><div>= SELinux Networking Support =<br /> SELinux supports the following types of network labeling:<br /> <br /> '''Internal labeling''' - This is where network objects are labeled and managed internally within a single machine (i.e. their labels are not transmitted as part of the session with remote systems). There are three types supported: those known as &quot;compat_net&quot; controls that label nodes, interfaces and ports; SECMARK that labels packets; and fallback peer labeling.<br /> <br /> '''Labeled Networking''' - This is where labels are passed to/from remote systems where they can be interpreted and a MAC policy enforced on each system. This is also known as &quot;peer labeling&quot;. There are two types supported: Labeled IPSec and CIPSO (commercial IP security option).<br /> <br /> Note that F-12 does not have NetLabel or IPSec tools installed as standard, therefore yum can be used to install them as shown below:<br /> &lt;pre&gt;<br /> yum install netlabel_tools<br /> <br /> yum install ipsec-tools<br /> &lt;/pre&gt;<br /> <br /> == compat_net Controls ==<br /> These labeling services make use of the [[NetworkStatements | Network Labeling Statements]] to label network object nodes, interfaces and ports with a security context that are then used to enforce controls. The [[NetworkStatements | Network Labeling Statements]] section defines each of the statements with examples of their usage.<br /> <br /> The [http://taiga.selinuxproject.org/~rhaines/diagrams/14-compat_net.png compat_net Controls] diagram shows how these network statements are used and the type of allow rules that would be required.<br /> <br /> In a future release of the Linux kernel these controls will be removed and replaced by the SECMARK services with the Reference Policy also being updated.<br /> <br /> == SECMARK ==<br /> SECMARK makes use of standard the kernel NetFilter framework that underpins the GNU / Linux IP networking sub-system. NetFilter automatically inspects all incoming and outgoing packets and can place controls on interfaces, IP addresses (nodes) and ports with the added advantage of connection tracking. The SECMARK and CONNSECMARK are security extensions to the Netfilter iptables that allow security contexts to be added to packets (SECMARK) or sessions (CONNSECMARK) such as those used by ftp (as some applications within a single session can use a number of different ports, some fixed and others dynamically allocated).<br /> <br /> The NetFilter framework is used to inspect and tag packets with labels as defined within the iptables and then use the security framework (e.g. SELinux) to enforce the policy rules. Therefore SECMARK services are not SELinux specific as other security modules that use the LSM infrastructure could also implement the same services (e.g. SMACK).<br /> <br /> While the implementation of iptables / NetFilter is beyond the scope of this Notebook, there are tutorials available&lt;ref name=&quot;ftn19&quot;&gt;There is a very good tutorial at [http://iptables-tutorial.frozentux.net/iptables-tutorial.html http://iptables-tutorial.frozentux.net/iptables-tutorial.html].&lt;/ref&gt;. The [http://taiga.selinuxproject.org/~rhaines/diagrams/15-secmark.png SECMARK Processing] diagram shows the basic structure and the process works as follows:<br /> <br /> * A table called the &quot;mangle table&quot; is used to define the parameters that identify and &quot;mark&quot; packets that can then tracked as the packet travels through the networking sub-system. These &quot;marks&quot; are called SECMARK and CONNSECMARK.<br /> * A SECMARK is placed against a packet if it matches an entry in the mangle table. This marker is used to apply a security context (a label) that can then enforce policy on the packet.<br /> * The CONNSECMARK &quot;marks&quot; all packets within a session&lt;ref name=&quot;ftn20&quot;&gt;For example, an ftp session where the server is listening on a specific port (the destination port) but the client will be assigned a random source port. The CONNSECMARK will ensure that all packets for the ftp session are marked with the same label.&lt;/ref&gt; with the appropriate label that can then be used to enforce policy.<br /> <br /> An example iptables&lt;ref name=&quot;ftn21&quot;&gt;Note that the iptables will not load correctly if the policy does not allow the iptables domain to relabel the SECMARK labels (unless permissive mode is enabled).&lt;/ref&gt; entry is as follows:<br /> &lt;pre&gt;<br /> # Flush the mangle table first:<br /> iptables -t mangle -F<br /> <br /> #----------------------------------- INPUT IP Stream ---------------------------------------------#<br /> # This INPUT rule sets all packets to default_secmark_packet_t<br /> iptables -t mangle -A INPUT -i lo -p tcp -d 127.0.0.0/8 -j SECMARK --selctx system_u:object_r:default_secmark_packet_t<br /> <br /> #------------------------------------ OUTPUT IP Stream -------------------------------------------#<br /> # This OUTPUT rule sets all packets to default_secmark_packet_t<br /> iptables -t mangle -A OUTPUT -o lo -p tcp -d 127.0.0.0/8 -j SECMARK --selctx system_u:object_r:default_secmark_packet_t<br /> &lt;/pre&gt;<br /> <br /> An example loadable module that makes use of SECMARK services is described in the Building the SECMARK Test Loadable Module section of volume 2, there is also an article &quot;[http://james-morris.livejournal.com/11010.html New secmark-based network controls for SELinux]&quot; that explains the services.<br /> <br /> As stated in the compat_net Controls section above, SECMARK will be replacing these and there is an article &quot;[http://paulmoore.livejournal.com/4281.html Transitioning to Secmark]&quot; that explains the transition.<br /> <br /> == NetLabel - Fallback Peer Labeling ==<br /> Fallback labeling can optionally be implemented on a system if the Labeled IPSec or CIPSO is not being used (hence &quot;fallback labeling&quot;). If either Labeled IPSec or CIPSO are being used, then these take priority. There is an article &quot;[http://paulmoore.livejournal.com/1758.html Fallback Label Configuration Example]&quot; that explains the usage.<br /> <br /> The example message filter has an optional module that makes use of fallback labels as explained in the Overview of modules section of volume 2. <br /> <br /> The network peer controls has been extended to support an additional object class of &quot;peer&quot;, although by default this is not enabled in F-12. To enabled this functionality the policy capability needs to be set as explained in the NetLabel Module Support for network_peer_controls section of the Sample Policy Source volume 2 where an example loadable module is given. The [http://taiga.selinuxproject.org/~rhaines/diagrams/16-fallback.png Fallback Labeling] diagram shows the differences between the policy capability &lt;tt&gt;network_peer_controls&lt;/tt&gt; set to 0 and 1.<br /> <br /> <br /> == Labeled IPSec ==<br /> Labeled IPSec has been built into the standard GNU / Linux IPSec services as described in the &quot;[http://nsrc.cse.psu.edu/tech_report/NAS-TR-0037-2006.pdf Leveraging IPSec for Distributed Authorization]&quot; document. The [http://taiga.selinuxproject.org/~rhaines/diagrams/17-ipsec.png IPSec communications] diagram shows the basic components that form the IPSec service where it is generally used to set up either an encrypted tunnel between two machines&lt;ref name=&quot;ftn22&quot;&gt;Also known as a virtual private network (VPN).&lt;/ref&gt; or an encrypted transport session. The extensions defined in the &quot;[http://nsrc.cse.psu.edu/tech_report/NAS-TR-0037-2006.pdf Leveraging IPSec for Distributed Authorization]&quot; document describe how the security context is used and negotiated between the two systems (called security associations (SAs) in IPSec terminology).<br /> <br /> Basically what happens is as follows&lt;ref name=&quot;ftn23&quot;&gt;There is an &quot;IPSec HOWTO&quot; at [http://www.ipsec-howto.org/ http://www.ipsec-howto.org] that gives the gory details, however it does not cover Labeled IPSec.&lt;/ref&gt;:<br /> <br /> # The security policy database (SPD) defines the security communications characteristics to be used between the two systems. This is populated using the setkey(8) utility and an example is shown below.<br /> # The SAs have their configuration parameters such as protocols used for securing packets, encryption algorithms and how long the keys are valid held in the Security Association database (SAD). For Labeled IPSec the security context (or labels) is also defined within the SAD. SAs can be negotiated between the two systems using either racoon(8)&lt;ref name=&quot;ftn24&quot;&gt;This is the Internet Key Exchange (IKE) daemon that exchanges encryption keys securely and also supports Labeled IPSec parameter exchanges.&lt;/ref&gt; that will automatically populate the SAD or manually by the setkey utility (see the example below).<br /> # Once the SAs have been negotiated and agreed, the link should be active.<br /> <br /> A point to note is that SAs are one way only, therefore if two systems are communicating then (using the above example), one system will have an SA, SAout for processing outbound packets and another SA, SAin, for processing the inbound packets. The other system will also create two SAs for processing its packets. <br /> <br /> Each SA will share the same cryptographic parameters such as keys and protocol&lt;ref name=&quot;ftn25&quot;&gt;The GNU / Linux version supports a number of secure protocols, see the setkey man page for details.&lt;/ref&gt; such as AH (authentication header) and ESP (encapsulated security payload). <br /> <br /> The object class used for the association of an SA is association and the permissions available are as follows:<br /> <br /> {| border=&quot;1&quot;<br /> | &lt;tt&gt;polmatch&lt;/tt&gt;<br /> | Match the SPD context (-ctx) entry to an SELinux domain (that is contained in the SAD -ctx entry)<br /> <br /> |-<br /> | &lt;tt&gt;recvfrom&lt;/tt&gt;<br /> | Receive from an IPSec association.<br /> <br /> |-<br /> | &lt;tt&gt;sendto&lt;/tt&gt;<br /> | Send to an IPSec association.<br /> <br /> |-<br /> | setcontext<br /> | Set the context of an IPSec association on creation (e.g. when running setkey the process will require this permission to set the context in the SAD and SPD, also racoon will need this permission to build the SAD).<br /> <br /> |}<br /> <br /> <br /> A worked example of a Labeled IPSec session showing manual and racoon&lt;ref name=&quot;ftn26&quot;&gt;&lt;sup&gt;Unfortunately racoon core dumps using the example base module decribed in volume 2 but does work using the standard Red Hat targeted policy.&lt;/sup&gt;&lt;/ref&gt; to configure the SAD is described in the Labeled IPSec Module Example section of the Sample Policy Source volume.<br /> <br /> There is a further example in the &quot;[http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/ Secure Networking with SELinux]&quot; article.<br /> &lt;pre&gt;<br /> # setkey -f configuration file entries<br /> #<br /> # Flush the SAD and SPD<br /> flush;<br /> spdflush;<br /> <br /> # Security Association Database entries. <br /> # 1) There would be another SAD entry on the other system (the client), where the IP addresses would be reversed.<br /> # 2) The security context must be that of the running application.<br /> <br /> add 172.16.96.30 172.16.96.31 esp 0x201<br /> -ctx 1 1 &quot;user_u:message_filter_r:ext_gateway_t&quot; <br /> -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;<br /> <br /> # Security Policy Database entries. <br /> # 1) there would be another SPD entry on the other system (the client), where the IP addresses would be reversed.<br /> # 2) The security context must be valid (i.e. defined in the active policy as it will be used by the polmatch permission <br /> # process to find a matching domain. (note only the &quot;type&quot; field is used unlike the SAD, where the context is the active process).<br /> <br /> # SAin<br /> spdadd 172.16.96.30 172.16.96.31 any<br /> -ctx 1 1 &quot;system_u:object_r:ext_gateway_t&quot;<br /> -P in ipsec esp/transport//require;<br /> # SAout<br /> spdadd 172.16.96.31 172.16.96.30 any<br /> -ctx 1 1 &quot;system_u:object_r:ext_gateway_t&quot;<br /> -P out ipsec esp/transport//require;<br /> &lt;/pre&gt;<br /> <br /> To manually load the above configuration file to populate the SPD and SAD&lt;ref name=&quot;ftn27&quot;&gt;&lt;sup&gt;If using racoon, the SAs would be negotiated using information from the SPD on each machine, with the SAD then being populated by racoon calling the setkey services.&lt;/sup&gt;&lt;/ref&gt; the following command would be used:<br /> &lt;pre&gt;<br /> setkey -f &lt;SPD_configuration_file&gt;<br /> &lt;/pre&gt;<br /> <br /> == NetLabel - CIPSO ==<br /> To allow security levels to be passed over a network between MLS systems&lt;ref name=&quot;ftn28&quot;&gt;Note only the security levels are passed over as the SELinux security context is not part of a standard MLS system (as SELinux supports two MAC services (Type Enforcement and MLS)).&lt;/ref&gt;, the CIPSO protocol is used that is defined in the [http://tools.ietf.org/html/draft-ietf-cipso-ipsecurity-01 CIPSO Internet Draft] document (this is an obsolete document, however the protocol is still in use). The protocol defines how security levels are encoded in the IP packet header.<br /> <br /> The protocol is implemented by the NetLabel service and can be used by other security modules that use the LSM infrastructure. The NetLabel implementation supports:<br /> <br /> # Tag Type 1 bit mapped format that allows a maximum of 256 sensitivity levels and 240 categories to be mapped.<br /> # A non-translation option where labels are passed to / from systems unchanged (for host to host communications as show in the [http://taiga.selinuxproject.org/~rhaines/diagrams/18-mls1.png MLS Systems on the same network] diagram).<br /> # A translation option where both the sensitivity and category components can be mapped for systems that have either different definitions for labels or information can be exchanged over different networks (for example using an SELinux enabled gateway as a guard as shown in the [http://taiga.selinuxproject.org/~rhaines/diagrams/19-mls2.png MLS Systems on different networks communicating via a gateway] diagram).<br /> <br /> <br /> <br /> ----<br /> &lt;references/&gt;</div> RichardHaines