On Wednesday, December 18, 2013 12:37:30 PM Andy Ruch wrote: > > On Wednesday, December 18, 2013 1:21 PM, Paul Moore <pmoore@xxxxxxxxxx> wrote: > > > On Wednesday, December 18, 2013 07:49:19 AM Andy Ruch wrote: > >> Hello, > >> > >> I'm trying to restrict an application to only have access to some > >> network interfaces. I'm running a custom policy on a RHEL 6.3 system. > >> The application is opening the socket as AF_PACKET and SOCK_RAW. > >> However, selinux doesn't seem to be controlling any raw access to the > >> interfaces. > > > > SELinux does not provide any per-packet access controls for AF_PACKET > > sockets. The basic problem is that AF_PACKET traffic is an opaque blob > > as far as the kernel is concerned. The application may carefully craft > > well formed IP packets, but the kernel doesn't do any inspection/parsing > > of the data sent down via a AF_PACKET socket, it is just a blob to passed > > off to the network device. > > > > I suppose we could do something with the netif:egress access control for > > packet sockets, but that would require a new LSM hook and some SELinux > > glue as AF_PACKET traffic isn't subject to the netfilter hooks SELinux > > currently uses (if I recall correctly). > > I'm not looking for any per-packet control. I was just hoping to restrict my > application's use of the packet socket to a single interface, i.e. prevent > access an out-of-band management network. The netif ingress/egress > permissions are what I would have expected but I say that without knowing > anything about how those are implemented. Unfortunately, it is per-packet access control and currently we only provide per-packet access control for IP based sockets. -- paul moore security and virtualization @ redhat _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
