Hello,
I'm trying to restrict an
application to only have access to some network interfaces. I'm running a custom policy on a RHEL 6.3 system. The application is opening the socket as AF_PACKET and SOCK_RAW. However, selinux doesn't seem to be controlling any raw access to the interfaces.
I've confirmed using apol that there are no rules for the
interface type that would allow access. I've also
confirmed that the only attribute on the interface is netif_type and that the only access to netif_type is from kernel_t.
I've granted the application:
allow my_app_t self:packet_socket { connected_socket_perms };
allow my_app_t self:capability { net_raw };
I was expecting to have to do something like:
allow my_app_t my_iface_t:netif { some_permission };
I was expecting to have to do something like:
allow my_app_t my_iface_t:netif { some_permission };
Is there any way for me to enforce network interface separation? Or does packet_socket always allow access to all interfaces?
Thanks,
Andy Ruch
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
