Re: SMACK netfilter smacklabel socket match

[Tilman Baumann]

Casey Schaufler wrote:
> > Casey Schaufler wrote:
> If you really want to be abusive you could replace the smack_access()
> function in security/smack/smack_access.c (of all places) with a no-op
> returning 0 in all cases.

I thought of that too. :)
But i would rather like to use the thing in it's intended function 
sometime in the future.

> > What I then to is write iptables OUTPUT chain matches which match for 
> > any of these labels and set some connection marks and firewall marks.
> > Which I then can use in routing rules to give different routing rules 
> > to specific processes. (Like all proxy traffic over a second DSL line)
> >
> > I know, it's totally crazy. But it seems to work. :)
> > I just hope the security part of this all will not break anything. But 
> > it does not look like it would right now.
>
> Smack will eventually bite you if you're not careful, but users of
> MAC systems wouldn't be surprised by that.
Speaking of the devil...
This is exactly what happened to me right now. I have problems with 
_some_ https connects. The problem lies somewhere in openssl.
I did not yet find any clue with strace.
Is there some straight forward way to audit/debug LSM interventions?

I have probably missed something that a labeled process could not do as 
a '_' process could. Have no idea right now, but it is probably 
something stupidly simple.

> I don't think it's crazy,
> I think it's a matter of using what's available in novel ways.
I like that attitude. :)

--
Tilman Baumann
Software Developer
Collax GmbH . Boetzinger Strasse 60 . 79111 Freiburg . Germany

p: +49 (0) 89-990157-0
f: +49 (0) 89-990157-11

Geschaeftsfuehrer: William K. Hite / Boris Nalbach
AG Muenchen HRB 158898, Ust.-IdNr: DE 814464942
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/