On Wednesday, December 18, 2013 07:49:19 AM Andy Ruch wrote: > Hello, > > I'm trying to restrict an application to only have access to some network > interfaces. I'm running a custom policy on a RHEL 6.3 system. The > application is opening the socket as AF_PACKET and SOCK_RAW. However, > selinux doesn't seem to be controlling any raw access to the interfaces. SELinux does not provide any per-packet access controls for AF_PACKET sockets. The basic problem is that AF_PACKET traffic is an opaque blob as far as the kernel is concerned. The application may carefully craft well formed IP packets, but the kernel doesn't do any inspection/parsing of the data sent down via a AF_PACKET socket, it is just a blob to passed off to the network device. I suppose we could do something with the netif:egress access control for packet sockets, but that would require a new LSM hook and some SELinux glue as AF_PACKET traffic isn't subject to the netfilter hooks SELinux currently uses (if I recall correctly). -- paul moore security and virtualization @ redhat _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
