Stephen Smalley wrote:
> tcp_socket write, read, and connect are checks between the process
> security context and the (local) socket security context.
> name_connect is between the process' context and the port context.
> None of those are per-packet checks.
OK, just to be sure I understand: the local socket's context is copied
from its owning process?
> At the risk of flooding your audit log, you might add the following
> policy module to see all grantings of egress permission:
No problem, it's a VM, we can do anything.
type=USER_ROLE_CHANGE msg=audit(1265396934.824:46): user pid=1061
uid=500 auid=500 ses=3 subj=user_u:user_r:newrole_t:s0-s1 msg='newrole:
old-context=user_u:user_r:user_t:s0-s1
new-context=user_u:user_r:user_t:s1-s1: exe="/usr/bin/newrole"
hostname=? addr=? terminal=/dev/tty2 res=success'
type=AVC msg=audit(1265396951.168:47): avc: granted { egress } for
pid=1088 comm="ftp" saddr=10.0.2.15 src=53060 daddr=147.32.127.222
dest=21 netif=eth0 scontext=user_u:user_r:user_t:s1
tcontext=system_u:object_r:netif_t:s0-s15:c0.c1023 tclass=netif
type=AVC msg=audit(1265396951.171:48): avc: denied { ingress } for
saddr=147.32.127.222 src=21 daddr=10.0.2.15 dest=53060 netif=eth0
scontext=system_u:object_r:netlabel_peer_t:s0
tcontext=system_u:object_r:netif_t:s0-s15:c0.c1023 tclass=netif
I'm kinda puzzled as of what's going on. For the egress operation the
user process is writing to the interface, but that has s0-s15. So maybe
I need to semanage the interface? But why is the default so wide, how
can I semanage all interfaces? I can't see a _default_ one...
When I do it, I get a denied egress, but only as long as I have the
netlabelctl in place. Why isn't labeling the interface sufficient? The
netlabel type is not mentioned in the egress message at all...
Michal Svoboda
Attachment:
pgpS1atMsI988.pgp
Description: PGP signature
