Re: I have been asked for a use case that says I want to allow X domain to only be able to use eth1.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/16/2011 04:32 PM, Daniel J Walsh wrote:
> For example if you wanted to allow httpd_t to only use eth1, you have a
> problem.  You need to label all of the devices on your system as
> something other then netif_t. And then add a rule like
> 
> semanage interface -a -t public_t eth0
> semanage interface -a -t private_t eth1
> 
> allow { domain -httpd_t } public_t:netif *;
> allow httpd_t private_t:netif *;
> 
> If you wanted all other processes to also use eth0, you would add
> allow domain private_t:netif *;
> 
> Now ignoring the fact that I used domain instead of some attribute to
> indicate all domains that use the network.
> 
> Even if I did the code above, if a new interface showed up later httpd_t
> would be allowed to use it since it can use netif_t, which is the
> default for all interfaces.
> 
> The problem is I can not change the default.
> 
> semanage interface -a -t public_t *
> 
> For example would not work, I don't think.
> 
> I guess I can do something hackly like I am with unlabelednet.pp and
> just put all of the netif rules into a module that I can disable, but I
> wanted to know if anyone has a better way.
> 

- --
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx
with
the words "unsubscribe selinux" without quotes as the message.



I guess for this to work, best I will need to deal with the node instead
of the interface.  As long as there is an IP associated with the node, I
can put a label out like

semanage node -a -t public_node_t 0.0.0.0/0
semanane node -a -t private_node_t 1.2.3.4/32

allow { domain -httpd_t } public_node_t:socket_class_set node_bind;
allow { httpd_t } private_node_t:tcp_socket node_bind;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2BKLkACgkQrlYvE4MpobPdOQCfYCxU0UtzJ71gv1Sl+VNK7uMc
ghYAoI313GNc2oV2XjxNDIbaTEzJSOSl
=gd6B
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux