Re: SELinux: Interface Labeling Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



ok, imattached also the community on this thread.

Please someone can help me? 

Thanksa

Il giovedì 11 giugno 2015, Paul Moore <paul@xxxxxxxxxxxxxx> ha scritto:
On Thu, Jun 11, 2015 at 4:22 PM, Maurizio Pagani <pag.maurizio@xxxxxxxxx> wrote:
> Any idea??? Please is important.

As Stephen already mentioned, please repost your question to the
mailing list so that others can benefit.

> Il giovedì 11 giugno 2015, Gmail <pag.maurizio@xxxxxxxxx> ha scritto:
>>
>> Hi Stephen,
>>
>> ok, but with peer labeling i saw that is not possible block a specific
>> domain to use an interface labeled with netif_hostonly_t, right? If not, how
>> can i block a specific domain, to use my network interface?
>>
>> However the next questions, i'll write to distribution list
>>
>> Thanks in advance,
>>
>>
>>
>>
>>                      Maurizio Pagani
>>             Systems and Security Specialist
>>
>>
>>                    Kay Systems Italia
>>                           www.ksi.it
>>              Viale Libano , 80 - 00144 Roma
>>                  fax:  +39 06  542799-60
>>                  mobile:  +39 335 1382689
>>              e-mail: maurizio.pagani@xxxxxx
>>
>> -----Messaggio originale-----
>> Da: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx]
>> Inviato: giovedì 11 giugno 2015 14:49
>> A: Gmail; paul@xxxxxxxxxxxxxx; james.l.morris@xxxxxxxxxx; 'Daniel J
>> Walsh'; 'Dominick Grift'; 'Sven Vermeulen'; eparis@xxxxxxxxxxxxxx
>> Oggetto: Re: SELinux: Interface Labeling Problem
>>
>> Is there a reason you didn't post this to selinux list
>> (selinux@xxxxxxxxxxxxx, subscribe via selinux-join@xxxxxxxxxxxxx)?
>> We prefer questions to go to the list so that they are archived for others
>> and anyone in the community can respond to them.
>>
>> In any event, SELinux network permission checks have changed over time.
>> The netif { tcp_recv tcp_send udp_recv udp_send } checks were legacy
>> network checks that were removed in Linux 2.6.30.  netif { ingress egress }
>> are newer checks that are only enabled if you have configured peer labeling
>> via NetLabel or labeled IPSEC/xfrm.
>>
>> On 06/11/2015 06:27 AM, Gmail wrote:
>> > Hi everybody
>> >
>> >
>> >
>> > I’m Maurizio Pagani (LordFire in #SELinux IRC freenode).
>> >
>> > I write to you, because i’m implementing a SELinux solution with
>> > particular attention about Network Labeling.
>> >
>> > I’m doing this trough some blog(Paul Moore in particular, Walsh and
>> > other) and books (Sven Vermeulen), but now i’m blocked in a little
>> > problem that cannot permit me to go on.
>> >
>> >
>> >
>> > The subject is : *“Interface Labeling”.*
>> >
>> >
>> >
>> > In few words i created a very simple policy called
>> > *“netif_hostonly_t”* the .te is this:
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > policy_module(netif_hostonly, 1.0.0)
>> >
>> >
>> >
>> > require {
>> >
>> >         type unconfined_t;
>> >
>> >         class netif { tcp_recv tcp_send udp_recv udp_send ingress
>> > egress } ;
>> >
>> > }
>> >
>> >
>> >
>> > #I declare my type
>> >
>> > type netif_hostonly_t;
>> >
>> >
>> >
>> > allow unconfined_t netif_hostonly_t : netif { tcp_recv tcp_send
>> > udp_recv udp_send ingress egress } ;
>> >
>> >
>> >
>> >
>> >
>> > *Next Step:*
>> >
>> >
>> >
>> > semanage interface -a -t netif_hostonly_t eno50332208
>> >
>> >
>> >
>> > I checked that is labeled correctly
>> >
>> >
>> >
>> > But i don’t see any avc denied messages, this is the problem, i though
>> > that as always, SELinux block everything and after trough RAW SELinux
>> > language (allow/dontaudit/auditallow/neverallow), we can open specific
>> > communications, but instead i don’t see anything.
>> >
>> > I’m wron something? It is not very clear on the web, or in the other
>> > blogs / books, because maybe i need of a SECMARK rule? But is not
>> > specific as a requirement, because also “port labeling” is used
>> > without set SECMARK rule.
>> >
>> >
>> >
>> > Please i’m blocked with my customer project, for this (i think) stupid
>> > problem, maybe you know surely the solution, and can share with me.
>> >
>> >
>> >
>> > Thanks in advace,
>> >
>> >
>> >
>> > Maurizio Pagani
>> >
>> >
>> >
>> > ------------------------------------------------------------------------
>> > Avast logo <https://www.avast.com/antivirus>
>> >
>> > Questa e-mail è stata controllata per individuare virus con Avast
>> > antivirus.
>> > www.avast.com <https://www.avast.com/antivirus>
>> >
>> >
>>
>>
>>
>> ---
>> Questa e-mail è stata controllata per individuare virus con Avast
>> antivirus.
>> https://www.avast.com/antivirus
>>
>



--
paul moore
www.paul-moore.com
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux