Re: default deny for uncofined_t using targeted?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Steve Brueckner wrote:

Stephen Smalley wrote:

On Fri, 2005-11-18 at 15:17 +0000, Paul Howarth wrote:

Won't that kill all network access, including via localhost, rather
than just eth0 access?

Well, yes, good point ;)

Also looks like Dan reworked the old netifcon statements and netif
types as part of the network macro work. 
Ok, so one approach might be to:
- Add a netifcon statement to policy/net_contexts (between the
	portcon entries and the nodecon entries) to distinguish eth0:
netifcon eth0 system_u:object_r:netif_eth0_t
	system_u:object_r:unlabeled_t - Add the type to
policy/types/network.te (or anywhere in the policy): type
	netif_eth0_t, netif_type; - Change the allow rule in
unconfined_domain from allow $1 netif_type:netif *; to: 
	allow $1 netif_t:netif *;
so that unconfined_t no longer gets access to all netif types, just
the default one (which covers loopback). 
Looks like macros/network_macros.te already limits itself to
netif_t:netif, so it will also cease granting access to eth0 when you
make the above changes without needing to modify the macro itself. 

Well this seemed to be working, but then something strange happened.  I
wanted ssh to work over eth0, so I added this to domains/program/ssh.te:
	auditallow sshd_t netif_type:netif *;
	allow sshd_t netif_type:netif *;

This single change allowed ssh to use eth0, but apparently it also allows
anything in unconfined_t to access eth0 also!  For example, when I run nmap
192.168.1.109 it is no longer blocked:

type=AVC msg=audit(1134421016.167:1744): avc: granted { rawip_send } for
pid=2854 comm="nmap" saddr=192.168.1.80 src=55724 daddr=192.168.1.209
dest=1502 netif=eth0 scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:netif_eth0_t tclass=netif

Am I missing something fundamental or is this a bug?  It seems to me that
giving sshd_t access to eth0 shouldn't also cause everyone in unconfined_t
to have access to eth0.


sshd_t is an alias for unconfined_t, in targeted policy.

Thanks for your help so far,

Stephen Brueckner, ATC-NY

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list



--


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux