[rsbac] MAC labels
Amon Ott
ao at rsbac.org
Mon Nov 16 08:51:07 CET 2009
On Sunday 15 November 2009 wrote ali valizadeh:
> I am trying to transfer MAC labels over the network using IP packets. For
> this reason, I want to read the labels in kernel level. Would anyone help
> me to do that?
RSBAC labels network items per connection end point. Each socket has a local
and a remote end point, so labels are used for both ends independently.
The current scheme looks up the default level of the remote end of the
connection through template settings, based on protocol, address etc. This
scheme could still be used as fallback, if no label has been received from
remote.
Explicitely set labels for one endpoint override the template values. This can
be a problem with UDP, where the remote address and port can change with
every packet. The current MAC implementation explicitely sets values for
local endpoints, but relies on templates for remote.
If you have the "struct socket *", labels are easy to read (look into
rsbac/adf/mac/mac_main.c for examples). However, using sockets for
identification means that you have to transfer the labels on transport level
(OSI 4, TCP, UDP etc.), not on packet level (OSI 3, IP) like other systems
do.
For labels on TCP connections, using transport level has the advantage that
both partners can even negotiate a common level for the connection at
handshake time. Any solution for RSBAC should take this into account.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list