20. Network Packet Labeling

SELinux can optionally be built with support for labeled networking via CIPSO/FIPS-188 IP Options. The Network SID (NSID) API provides a general framework for labeled networking for SELinux. Selopt is a particular implementation of this API that provides labeled networking for SELinux using CIPSO/FIPS-188 IP Options. The NSID and Selopt components were contributed to SELinux by James Morris. This section provides a brief discussion of the NSID API and Selopt, drawing from the existing documentation in [MorrisSeloptOverview2002].

20.1. NSID API

The Network SID (NSID) API provides a general framework for labeled networking that is intended to be independent of the underlying mechanism. The NSID interfaces called by SELinux are:

The NSID component implements dummy operations for each of the NSID functions that provide the default implementations until a particular NSID implementation is registered via nsid_register_ops. The Selopt component registers its own operations during initialization, replacing these dummy operations.

20.2. Selopt

Selopt implements the NSID API using CIPSO/FIPS-188 IP options as the underlying mechanism for passing SIDs across the network. Selopt provides mechanisms for:

Selopt adds the concept of a security perimeter to SELinux. A security perimeter is a group of trusted peers that have equivalent security policies. Security policies are equivalent if the security attribute spaces are identical and have the same meanings on each system. Hosts can be added to or removed from the perimeter at any time by using the pt utility. Outgoing packets to a host within the perimeter will be labeled. Incoming packets from a host within the perimeter must be labeled or they will be dropped. Labeled packets from hosts outside of the parameter will be dropped.

Since Selopt labels outgoing packets with local SIDs in the IP option and SIDs have only local meaning, a mapping mechanism is required to translate remote SIDs to local SIDs for incoming packets. To support such translation, a Security Context Mapping Protocol (SCMP) was defined that allows a peer to request a security context for a given SID. This protocol is described in [MorrisSCMP2001]. The security context can then be translated to a local SID by the local security server and stored in a network SID mapping cache. A daemon called scmpd implements the SCMP protocol.

Selopt defines up to three SIDs that can be included in the IP option. These SIDs are copied from the network buffer security structure for outgoing packets, and copied into the network buffer security structure for incoming packets. The complete list of Selopt security parameters is:

20.2.1. selopt_ip_label_output

This function adds security labels to the IP packet by copying the SIDs from the network buffer security structure into the IP packet's options. However, if the packet destination is not in the perimeter, or is local, the packet is not labeled. The SSID is always set in the IP option. The MSID is only set if it differs from the SSID. The DSID is only set if it was specified.

20.2.2. selopt_ip_map_input

This function will return NF_DROP for any packet from outside the perimeter that is labeled, and for any unlabeled packet from within the perimeter. Otherwise, mapping of the packet SIDs is attempted.

Any packet that has the Bypass flag set in the options is accepted without mapping. Packets that have a local source address are also accepted without mapping. The packet SIDs are mapped by first checking the peer cache for a previous mapping (the ``fast'' path). If the cache lookup succeeds, then the packet is accepted. Otherwise, a map request is sent to the cache manager (the ``slow'' path), and NF_QUEUE is returned. In this case, the Netfilter logic will call the selopt_queue_handler funtion to queue the network buffer. When the reply message is received for the map request, Selopt will reinject the network buffer by calling the Netfilter function nf_reinject. Processing of the SKB will then continue on to the next Netfilter hook.

20.2.3. selopt_ip_decode_options

This function will decode the security labels from the options field of the IP packet header. For packets that are not being delivered to the local host, this function returns without decoding the options. Otherwise, the Selopt policy serial number, source SID, message SID, and destination SID are copied from the packet options field into the SKB security structure.

20.2.4. selopt_ip_defragment

This function is used verify security labels across IP fragments. At this time, labeled fragments are not supported, so this function prints a warning message to the system log and returns success.

20.2.5. selopt_sock_sendmsg

Before an IP packet with options can be sent out, the maximum segment size (MSS) must be adjusted. This function is called by the selinux_socket_sendmsg hook function to adjust the size of the MSS to account for the presence of Selopt security labels in the IP options field.