[rsbac] MAC labels (Amon Ott)

ali valizadeh valizadeh82 at yahoo.com
Tue Nov 17 05:43:54 CET 2009 

Thanks to the post. It's very usefull.
But, I want to transfer file and I want to have MLS (Multi Level Security) over the network. So, when a file with "Secret" label sent from one end to another, I want to recive that file with "Secret" label in another end point of the network. Does RSBAC have solution for packet labeling?


----------------------------------------------------------------------

Message: 1
Date: Sun, 15 Nov 2009 11:38:20 -0800 (PST)
From: ali valizadeh <valizadeh82 at yahoo.com>
Subject: [rsbac] MAC labels
To: rsbac at rsbac.org
Message-ID: <972116.42645.qm at web52404.mail.re2.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1

Hi,

I?am trying?to transfer MAC labels over the network using IP packets. For this reason, I want to read the labels in kernel level. Would anyone help me to?do that? 

Regards,
Ali 


      

------------------------------

Message: 2
Date: Mon, 16 Nov 2009 08:51:07 +0100
From: Amon Ott <ao at rsbac.org>
Subject: Re: [rsbac] MAC labels
To: RSBAC Discussion and Announcements <rsbac at rsbac.org>
Message-ID: <200911160851.07510.ao at rsbac.org>
Content-Type: text/plain;  charset="iso-8859-1"

On Sunday 15 November 2009 wrote ali valizadeh:
> I?am trying?to transfer MAC labels over the network using IP packets. For
> this reason, I want to read the labels in kernel level. Would anyone help
> me to?do that?

RSBAC labels network items per connection end point. Each socket has a local 
and a remote end point, so labels are used for both ends independently.

The current scheme looks up the default level of the remote end of the 
connection through template settings, based on protocol, address etc. This 
scheme could still be used as fallback, if no label has been received from 
remote.
Explicitely set labels for one endpoint override the template values. This can 
be a problem with UDP, where the remote address and port can change with 
every packet. The current MAC implementation explicitely sets values for 
local endpoints, but relies on templates for remote.

If you have the "struct socket *", labels are easy to read (look into 
rsbac/adf/mac/mac_main.c for examples). However, using sockets for 
identification means that you have to transfer the labels on transport level 
(OSI 4, TCP, UDP etc.), not on packet level (OSI 3, IP) like other systems 
do.

For labels on TCP connections, using transport level has the advantage that 
both partners can even negotiate a common level for the connection at 
handshake time. Any solution for RSBAC should take this into account.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22


------------------------------

_______________________________________________
rsbac mailing list
rsbac at rsbac.org
https://www.rsbac.org/mailman/listinfo/rsbac

End of rsbac Digest, Vol 46, Issue 1
************************************

More information about the rsbac mailing list