NetLabel Address Selectors

One of the biggest differences between NetLabel and the labeled networking mechanisms of existing Trusted OSs is how outbound traffic is selected for labeling. Ever since NetLabel was first introduced in kernel 2.6.19 the on-the-wire outbound labeling protocol was determined by the label of the sending application's socket. Despite the departure from legacy approaches, this was a concious choice designed to make the implementation smaller and less invasive in an attempt to gain acceptance into the mainstream Linux Kernel. While ultimately this approach proved to be successful, NetLabel was accepted, it did have its drawbacks. The most significant was that all traffic from a single socket, or application if it was not label aware, was limited to the same on-the-wire label; if you think about this for a minute you quickly realize how limiting this could become. Thankfully with kernel 2.6.28 this is no longer the case.

In kernel 2.6.28 we introduced the concept of address selectors to NetLabel. NetLabel address selectors allow administrators to specify the on-the-wire label format based on both the sending application and the destination address. This is a huge usability boost as administrators are no longer forced to use the same on-the-wire label format for a single application, making deployment much easier. To help make things a bit more concrete, let's examine the following configuration:

# netlabelctl cipsov4 add pass doi:16 tags:1
# netlabelctl map add domain:apache_t protocol:cipsov4,16
# netlabelctl -p map list
Configured NetLabel domain mappings (2)
 domain: "apache_t"
   protocol: CIPSOv4, DOI = 16
 domain: DEFAULT
   protocol: UNLABELED

Before kernel 2.6.28 this is how you used to enabled NetLabel based labeling for an application. In this particular example we are configuring Apache (apache_t) to label outbound traffic with a CIPSO label using CIPSO DOI 16. This configuration would apply CIPSO labeling to all traffic regardless of destination; DNS queries, Windows clients, other Linux hosts, everything would receive CIPSO labeled traffic. However, starting with Linux Kernel 2.6.28 and NetLabel Tools 0.19 there are some new parameters to the netlabelctl map command:

# netlabelctl cipsov4 add pass doi:17 tags:5
# netlabelctl map add domain:firefox_t address:0.0.0.0/0 protocol:unlbl
# netlabelctl map add domain:firefox_t address:10.0.0.0/8 protocol:cipsov4,17
# netlabelctl map add domain:firefox_t address:192.168.4.5 protocol:cipsov4,16
# netlabelctl -p map list
Configured NetLabel domain mappings (3)
 domain: "apache_t"
   protocol: CIPSOv4, DOI = 16
 domain: "firefox_t"
   address: 192.168.4.5/32
    protocol: CIPSOv4, DOI = 16
   address: 10.0.0.0/8
    protocol: CIPSOv4, DOI = 17
   address: 0.0.0.0/0
    protocol: UNLABELED
 domain: DEFAULT
   protocol: UNLABELED

Using the new address option to the netlabelctl map command allows us to add a destination address selector to the NetLabel LSM domain mapping configuration. In this particular example we've configured Firefox (firefox_t) to send CIPSO DOI 16 labeled packets to host 192.168.4.5 and CIPSO DOI 17 labeled packets to the entire 10.0.0.0/8 network while everyone else, specified by 0.0.0.0/0, is sent unlabeled packets. You will also notice that the new address selectors can coexist with the existing configuration, e.g. our Apache configuration is untouched, but you can only add address selectors to domains which make use of address selectors, e.g. you can't add address selectors to the above Apache configuration. If you want to add address selectors to an existing domain configuration you first need to delete it and recreate it using address selectors as show below:

# netlabelctl map add domain:apache_t address:192.168.3.5 protocol:unlbl
netlabelctl: error, invalid argument or parameter
# netlabelctl map del domain:apache_t
# netlabelctl map add domain:apache_t address:0.0.0.0/0 protocol:cipsov4,16
# netlabelctl map add domain:apache_t address:192.168.3.5 protocol:unlbl
# netlabelctl -p map list
Configured NetLabel domain mappings (3)
 domain: "apache_t"
   address: 192.168.3.5/32
    protocol: UNLABELED
   address: 0.0.0.0/0
    protocol: CIPSOv4, DOI = 16
 domain: "firefox_t"
   address: 192.168.4.5/32
    protocol: CIPSOv4, DOI = 16
   address: 10.0.0.0/8
    protocol: CIPSOv4, DOI = 17
   address: 0.0.0.0/0
    protocol: UNLABELED
 domain: DEFAULT
   protocol: UNLABELED

That covers the new NetLabel address selectors in kernel 2.6.28, however there are a few things you should make note of before you start playing with this new feature. The most important is that the address selectors require NetLabel Tools version 0.19 or higher, information on where to get version 0.19 can be found here. The next thing to keep in mind is that when you are configuring NetLabel using address selectors you will almost always want to have a 0.0.0.0/0 address configured as a "catch all" address, otherwise you could run into problems if you try to send traffic to an address not explicitly configured. Other than that, have fun and let me know if you have any problems in the comments.