|
I'd be interested to see what others have to say on this too. You can achieve what you are doing using iptables and SECMARK, see the links below: http://selinuxproject.org/page/NB_Networking http://james-morris.livejournal.com/11010.html http://www.linux.com/learn/tutorials/421152-using-selinux-and-iptables-together The basic idea being that you: ·
Create a type, for example, eth0_packet_t ·
Use iptables to label all packets on eth0 as eth0_packet_t ·
Grant permissions on eth0_packet_t as necessary, e.g. allow my_app_t eht0_packet_t : packet {send recv} I'd be very interested to hear others' opinions on whether this is best practice! Cheers Colin From: Selinux [mailto:selinux-bounces@xxxxxxxxxxxxx]
On Behalf Of Andy Ruch Hello, I'm trying to restrict an application to only have access to some network interfaces. I'm running a custom policy on a RHEL 6.3 system. The application is opening the socket
as AF_PACKET and SOCK_RAW. However, selinux doesn't seem to be controlling any raw access to the interfaces. I've confirmed using apol that there are no rules for the interface type that would allow access. I've also confirmed that the only attribute on the interface is netif_type
and that the only access to netif_type is from kernel_t. I've granted the application: allow my_app_t self:packet_socket { connected_socket_perms }; allow my_app_t self:capability { net_raw }; Is there any way for me to enforce network interface separation? Or does packet_socket always allow access to all interfaces? Thanks, Andy Ruch |
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
