A few comments on your configuration below ...
Generally node_t is used for network nodes while netif_t is used for
> netlabelctl unlbl add interface:eth0 address:0.0.0.0/0
> label:system_u:object_r:node_t:s1
> netlabelctl unlbl add interface:eth0
> address:192.168.1.196/0 label:system_u:object_r:node_t:s4
interfaces. I would recommend changing from "node_t:s1" to "netif_t:s1" and
"node_t:s4" to "netif_t:s4".
Ok, i note that. Btw, is this reference is actual http://marc.info/?l=selinux&m=119991234501200&w=2 ? Selinux extremaly need faq/best practice network guide. It's absence cause a basic error in network configuration like mine . Just audit2allow recommend to allow that, that that and that - so we just do it, don't think what and for what...
Also just for clarification, you do realize that 0.0.0.0/0 and 192.168.1.196/0
are the same, yes? In fact, you shouldn't even be able to configure the above
you should get an "netlabelctl:error, File exists" error message (I do on my
RHEL6 system). Perhaps a cut-and-paste error when writing your email?
Sure, it's a typo. I mean 192.168.1.196/32.
> 3) telnet from external network (system_u:object_r:node_t:s1) established,I assume that the external network/host is unlabeled and you are using the
> but only one way (s1 -> s4). On trying to send string back from nc to
> telnet and got connection closed... that's right from one side of view but
> no deny avc in audit. Dontaudit rules disabled. One strange.
static/fallback labeling to label the incoming traffic? If so, could you
first correct your static/fallback configuration (see above) and try again?
I changed type to netif_t and that avc found in audit:
type=AVC msg=audit(1369158708.220:821): avc: denied { write } for pid=2440 comm="nc" path="socket:[19743]" dev=sockfs ino=19743 scontext=user_u:user_r:user_t:s4 tcontext=user_u:user_r:user_t:s1 tclass=tcp_socket
You right, i connected from unlabeled network from address with :s4 label, and used only static/fallback. So, now that look right. :s4 can not write to socket that connected to :s1 endpoint and avc present. Reverse channel s1->s4 is allowed.
Any AVC denials?
> 4) telnet from same host but user context is ' user_u:user_r:user_t:s1' to
> 127.0.0.1 or 192.168.1.96 - timed out... hmm.. that's strange. All needed
> selinux context is allowed (or we got deny on step 1, but why we got
> different result withing step 3? So, second issue.
Yeah, that it:
type=AVC msg=audit(1369160107.877:926): avc: denied { recv } for saddr=127.0.0.1 src="" daddr=127.0.0.1 dest=390 19 netif=lo scontext=user_u:user_r:user_t:s1 tcontext=system_u:object_r:netlabel_peer_t:s4 tclass=peer
audit2allow make a rule:
------------------------------------------------------------------
module netlabpeer 1.0;
require {
type netlabel_peer_t;
type user_t;
class peer recv;
}
#============= user_t ==============
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow user_t netlabel_peer_t:peer recv;
------------------------------------------------------------------
That look right (i see warning of course, but not sure what it sign) but selinux have own point of view, and deny avc repeated in audit.. Early, i think that deny caused by 's1->s4' connection, but i have established channel with permissive mode, after that switch selinux to enforcing and got result like (3 - one way channel). So, this rule is realy constraint violation and telnet can't establish connection by disallowed context access, not a label ...
You configured CIPSO to use only tag type #1 which is limited to categories
> 5) And most strange.... telnet from same host, different user
> (user_u:user_r:user_t:s1:c0.c255) to any local address (127 or 192) got an
> error: no space left on device . ouch. what device.. what space. space
> space, i need space (sorry).
c0.c240. If you want to use more than that you will need to look at the other
tag types: enumerated (#2) or ranged (#5). Note that you can specify a
prioritized list of CIPSO tags in your netlabelctl command line, e.g.
'tags:2,5,1'; see the man page and the CIPSO draft specification[1] for more
details.
[1] http://netlabel.sourceforge.net/files/draft-ietf-cipso-ipsecurity-01.txt
Now clear, thanks.
