RE: how to restrict a SOCK_RAW by interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Title: RE: how to restrict a SOCK_RAW by interface

Hello,

Thanks for the hint, However it does not solve my problem I still can read from eth0.

I did have to add allow rules for netif_t:netif but my policy still does not allow iface_test_t.

James


-----Original Message-----
From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx]
Sent: Mon 12/14/2009 1:49 PM
To: Cernak, James E (IS)
Cc: fedora-selinux-list@xxxxxxxxxx
Subject: Re: how to restrict a SOCK_RAW by interface

On Mon, 2009-12-14 at 13:29 -0600, Cernak, James E (IS) wrote:
> Hello,
>
> I am trying to restrict an application to using only some interfaces
> on the system. I have defined a new type and assigned the interface on
> my RHEL5.4-x64 system to the new type with semanage. The system
> indicates that the interface is now configured.
>      # semanage interface -l
>      SELinux Interface              Context
>
>      eth1                           system_u:object_r:iface_test_t:s0
> This does restrict applications like tcpdump or wireshark from listing
> the interface that was configured.
>      # tcpdump -D
>      1.peth0
>      2.virbr0
>      3.vif0.0
>      4.eth0
>      5.xenbr0
>      6.eth2
>      7.eth3
>      8.any (Pseudo-device that captures on all interfaces)
>      9.lo
>
> My problem comes that my application can still open eth1 and read and
> write packets to this interface.
> The application is opening a socket as SOCK_RAW then binding with a
> struct sockaddr_LL that has the ssll_ifindex field configured with the
> index of ETH1.
> How do I write a selinux policy to restrict this application from
> using some interfaces.
>

In RHEL5 (Linux 2.6.18), you might need to enable compat_net (echo 1
> /selinux/compat_net or boot with selinux_compat_net=1 on the kernel
command line).

--
Stephen Smalley
National Security Agency


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux