SELinux peer context on sockets (netlabel ?)

This is where we can discuss what we would like to see added or changed in OpenVPN.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
HubertQC
OpenVpn Newbie
Posts: 1
Joined: Thu Dec 09, 2021 2:38 pm

SELinux peer context on sockets (netlabel ?)

Post by HubertQC » Thu Dec 09, 2021 2:52 pm

Hello,

I don't know if it is possible, but it would be super cool if the SELinux contexts could be shipped along the OpenVPN connection just like IPsec does.

When a packet is transmitted by a process over a network socket established on top of an IPsec connection, the SELinux context of the sender is shipped by IPsec to the receiver and on that receiver the socket gets its SELinux peer context set to this value, provided the SELinux context parts eventually exist on the receiver.

When such SELinux peer labelling at the source cannot be done, either because the source/connection cannot be trusted that much or because the source/transport does not support SELinux contexts or network labels, you can always fall back to using static network peer labelling, but your options are limited. I mean you cannot make the difference between the network peers connecting to your DB/LDAP/whatever, all that you know is that they show up with an IP and whichever sort of credentials... you cannot trust that they are running in a secured SELinux domain and that they haven't gone rogue...

Post Reply