Yes. That is correct. What I am looking at though is a piece of hardware that does not use IP (or TCP and UDP for that matter). Instead, they implement their own protocol at the IP layer. So any traffic coming from the hardware (to the system that I am writing policy for) and any traffic being sent to that machine uses a raw socket to communicate (no IP at all). I briefly looked at ebtables, but it doesn't appear to have the same type of SECMARK support that I would use with iptables. I think the best solution that I have come up with is to label the network interface used to communicate with the hardware, and then only allow the domain being confined to create sockets and bind to that interface. -Tom -- Thomas Moyer, Technical Staff voice: (781) 981-1374 Cyber Systems Technology Group mobile: (857) 268-0493 MIT Lincoln Laboratory email: thomas.moyer@xxxxxxxxxx 244 Wood Street Lexington, MA 02420 On 10/30/12 6:39 PM, "Paul Moore" <paul@xxxxxxxxxxxxxx> wrote: >On Friday, October 26, 2012 04:08:15 PM Moyer, Thomas - 0668 - MITLL >wrote: >> I am working with a piece of embedded hardware that uses raw ethernet >>frames >> to communicate with another (standard PC). Is it possible to apply >>SELinux >> labels to those ethernet frames like you can with IP packets using >>iptables >> and SECMARK? > >The secmark/iptables labels never leave the local system, they are >maintained >only within the kernel and do not travel out over the wire. If you are >interested in communicating security label over the network your only >options >at present require an IP header at the very least. > >-- >paul moore >www.paul-moore.com >
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
