On 01/14/2010 03:08 PM, Jason Shaw wrote:
> I need help understanding if SELinux supports restricting a confined
> application from binding to specific network interfaces. I cannot seem to
> make this work under F11 and F12 (using targeted, mls, and reference
> policies), or under RHEL 5.3U3 targeted.
>
> Details:
> - I have a system with two network interfaces: eth0 and eth1.
> - I have an application that must only be allowed to read data from eth0
> (raw and tcp).
> - I do not need to label packets.
>
> Here's what I have tried
> 1) In a new policy module, I create new types: myApp_exec_t, myApp_t,
> myApp_eth0_t, myApp_eth1_t.
> 2) I use semanage -fcontext to label my application's executable file as
> myApp_exec_t
> 3) I assign eth0 with a new type: 'semanage interface -a -t myApp_eth0_t
> eth0'
> 4) I assign eth1 with a new type: 'semanage interface -a -t myApp_eth1_t
> eth1'
> 5) In my policy module, I allow the following: "allow myApp_t
> self:capability net raw", and "allow myApp_t self:tcp_socket { accept read
> }"
> 6) I verify that when I execute my application, using ps -efZ it is running
> in the myApp_t domain (has transitioned properly from unconfined_t)
>
> The problem is, my app can read raw or tcp data from either eth0 or eth1
> even though both interfaces have been assigned different types using
> semanage -interface.
>
> Is this because 'allow myApp_t self:capability net_raw' does not distinguish
> between network interfaces? Is my understanding of semanage -interface
> incorrect - shouldn't labeling the interface result in no ability to use the
> interface unless explicitly allowed?
>
This is how you can , i think, declare a netif type:
[dgrift@localhost Desktop]$ cat mynetif.te
policy_module(mynetif, 1.0.0)
require { attribute netif_type; }
type netif_test_t, netif_type;
You will need to label the netif manually though. unless you add it to
corenetwork.te.in , with a context specification
[dgrift@localhost Desktop]$ sudo semanage interface -a -t netif_test_t
-r s0-s0:c0.c1023 eth0
[dgrift@localhost Desktop]$ sudo semanage interface -l
SELinux Interface Context
eth0
system_u:object_r:netif_test_t:s0-s0:c0.c1023
I assume this should also work for raw as there are interfaces
suggesting it:
# Summary: Receive raw IP packets on generic interfaces.
# Parameter domain
#The type of the process performing this action.
interface(`corenet_raw_receive_generic_if',`
gen_require(`
type netif_t;
')
allow $1 netif_t:netif { rawip_recv ingress };
')
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
