On Monday 01 February 2010 12:44:56 pm Jason Shaw wrote:
> Here is what I found. Using netlabelctl, I could successfully restrict all
> inbound/outbound network access to the system on a specific interface. I
> could then permit only SSH into the system via allow rules associated with
> the peer label assigned using netlabelctl unlbl.That worked great. In fact,
> I'm really excited to explore other possibilities using netlabelctl as it
> has many valuable possible uses.
Great, glad to hear you got everything (well, almost) working; I apologize it
took so long :)
> However, I found that my test app (with the allow rule below), could still
> read and display packet data coming in on any interface even with all
> interfaces assigned a unique peer_t using netlabelctl unlbl add. This was
> true when no explicit allow rules were added for the test app (running in
> myAPP_t). So while netlabelctl did require explicit allow rules for SSH to
> send/receive data (I beleive for sshd_t), an allow rule was not required to
> read raw data off of the interface for myAPP_t.
>
> allow myApp_t self:packet_socket { create read bind ioctl };
>
> My understanding is that a packet socket is read at the device driver
> level. As such, is it possible that the packet socket is being read before
> netlabelctl enforcements are taking place?
Hmm, yes, I think you've stumbled across a bug in the kernel where the LSM
sock_rcv_skb() hook is not called for AF_PACKET. I need to take a look and
verify the rest of the packet families and work up a fix.
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
