> On Wednesday, December 18, 2013 1:21 PM, Paul Moore <pmoore@xxxxxxxxxx> wrote: > > On Wednesday, December 18, 2013 07:49:19 AM Andy Ruch wrote: > >> Hello, >> >> I'm trying to restrict an application to only have access to some > network >> interfaces. I'm running a custom policy on a RHEL 6.3 system. The >> application is opening the socket as AF_PACKET and SOCK_RAW. However, >> selinux doesn't seem to be controlling any raw access to the > interfaces. > > SELinux does not provide any per-packet access controls for AF_PACKET sockets. > The basic problem is that AF_PACKET traffic is an opaque blob as far as the > kernel is concerned. The application may carefully craft well formed IP > packets, but the kernel doesn't do any inspection/parsing of the data sent > down via a AF_PACKET socket, it is just a blob to passed off to the network > device. > > I suppose we could do something with the netif:egress access control for > packet sockets, but that would require a new LSM hook and some SELinux glue as > AF_PACKET traffic isn't subject to the netfilter hooks SELinux currently > uses > (if I recall correctly). > > -- > paul moore > security and virtualization @ redhat > I'm not looking for any per-packet control. I was just hoping to restrict my application's use of the packet socket to a single interface, i.e. prevent access an out-of-band management network. The netif ingress/egress permissions are what I would have expected but I say that without knowing anything about how those are implemented. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
