LSM, SELinux, Netlabel, and CIPSO
If you are new to CIPSO and SELinux, their relationship is confusing to say the least. I wanted to shed some light for those just setting out on the topic as to how the four of these things work together.
Original paper describing LSM: Linux Security Module Framework.
Within the context of SELinux and Netlabel you may hear the term LSM domain, LSM user, LSM xxxx. Early on in the development of Linux users realized discretionary access control (DAC) did not provide sufficient security for the system. While convenient and straightforward, simple problems existed. If a process running as root is compromised, essentially the entire system is compromised. Enter mandatory access control (MAC) implemented by LSM. I won’t cover MAC here, but it provides a solution to the problems presented by DAC. Practitioners of Linux began building kernel modules to implement MAC, but the issue was there were many and none were standardized. LSM provides a solution to this problem by offering a common framework for structuring and building kernel security modules. SELinux is one such implementation compliant with the LSM model. There are many others so when you read the term LSM xxxx, what it is saying is the implementation of LSM xxxx for your specific kernel security module. For example, LSM domain in SELinux simply refers to SELinux Domains. The name doesn’t have to directly correspond, but it typically does.
Secure Linux is a kernel security module which implements the Bell-LaPadula MAC model. SELinux is an LSM framework compliant Linux kernel security module. It provides mechanisms for controlling the way in which users, processes, and files within a system interact. Most relevant to this post, it allows administrators to classify files, processes, users, etc according to a security classification scheme. Ex: Top secret, secret, unclassified, etc.
Built into SELinux is something called MLS (Multi-Level Security). This enables Linux to label files according to security sensitivities with s0 being the lowest classification and s15 being the highest. Within each security sensitivity are categories which may range from 0-1024. The security sensitivity and category are combined to create what is called a security level. It is the security level that CIPSO transports to other devices on the network.
Netlabel is a toolset for supporting network-based labeling within SELinux. The MLS portion of SELinux creates and attaches labels to different objects within the system. Netlabel provides the means to affix security related labeling to packets in a CIPSO format.
Commercial Internet Protocol Security Option (CIPSO) is a generic specification for adding security levels to network traffic. Technically, it was never made a standard and remains an IETF draft, but is the defacto industry standard. SELinux passes security classification labels to the network stack and those security classification labels are translated to the CIPSO protocol and then sent across the network to other MLS enabled systems.