network, deep drive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

That's some strange issue appears with labeled networking. I tried to test some basic rules before mlp expreiments, but got unexpected results. Base configuration (tx-like):

netlabelctl unlbl add interface:eth0 address:0.0.0.0/0 label:system_u:object_r:node_t:s1
netlabelctl unlbl add interface:eth0 address:192.168.1.196/0 label:system_u:object_r:node_t:s4
netlabelctl map del default
netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
netlabelctl cipsov4 add pass doi:32 tags:1 
netlabelctl map add default address:127.0.0.0/8 protocol:cipsov4,32
netlabelctl map add default address:192.168.1.96/32 protocol:cipsov4,32 #eth0

Iptables allowed all, and have no any secmark rules.
 
So, some examples. Here, i have executed nc in listen: nc -l 5000 with user_u:user_r:user_t:s4 (additional policy that allow user_u to create socket, allowing node_t, ingress  & etc in effect)

1) telnet from same user (user_u:user_r:user_t:s4)  and same context is succesfull. Two way exchange via 127.0.0.1 or 192.168.1.96 interfaces. Thats right.

2) telnet from external network from host (system_u:object_r:node_t:s4) same result, two way exchange. That's right too.

3) telnet from external network (system_u:object_r:node_t:s1)  established, but only one way (s1 -> s4). On trying to send string back from nc to telnet and got connection closed... that's right from one side of view but no deny avc in audit. Dontaudit rules disabled. One strange.

4) telnet from same host but user context is ' user_u:user_r:user_t:s1' to 127.0.0.1 or 192.168.1.96 - timed out... hmm.. that's strange. All needed selinux context is allowed (or we got deny on step 1, but why we got different result withing step 3? So, second issue.

5) And most strange.... telnet from same host, different user (user_u:user_r:user_t:s1:c0.c255) to any local address (127 or 192) got an error: no space left on device . ouch. what device.. what space. space space, i need space (sorry). No deny avc in log again.. not dependent what port i connected to, listen or not.. enforcing or permissive. Only one dependence found:  with interface interface not configured with cipsov4 like above, error did not appear. I tried to some deep drive, so critical value below:

mls range: s1, s1:c0, s1:c0:c2 ... s1:c0.c239 - working right
mls range: s1:c0.c240 ... s1:c0-c254, s1:c0-c255 - no space left. 

Any idea?
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux