I need help understanding if SELinux supports restricting a confined application from binding to specific network interfaces. I cannot seem to make this work under F11 and F12 (using targeted, mls, and reference policies), or under RHEL 5.3U3 targeted.
Details:
- I have a system with two network interfaces: eth0 and eth1.
- I have an application that must only be allowed to read data from eth0 (raw and tcp).
- I do not need to label packets.
Here's what I have tried
1) In a new policy module, I create new types: myApp_exec_t, myApp_t, myApp_eth0_t, myApp_eth1_t.
2) I use semanage -fcontext to label my application's executable file as myApp_exec_t
3) I assign eth0 with a new type: 'semanage interface -a -t myApp_eth0_t eth0'
4) I assign eth1 with a new type: 'semanage interface -a -t myApp_eth1_t eth1'
5) In my policy module, I allow the following: "allow myApp_t self:capability net raw", and "allow myApp_t self:tcp_socket { accept read }"
6) I verify that when I execute my application, using ps -efZ it is running in the myApp_t domain (has transitioned properly from unconfined_t)
The problem is, my app can read raw or tcp data from either eth0 or eth1 even though both interfaces have been assigned different types using semanage -interface.
Is this because 'allow myApp_t self:capability net_raw' does not distinguish between network interfaces? Is my understanding of semanage -interface incorrect - shouldn't labeling the interface result in no ability to use the interface unless explicitly allowed?
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
