Hi, In this mail, i'll describe with wich steps i resolved my problem with Network Interface Labeling. - Problem: We need to block a specific domain (application, users or other) to use a specific network interface. - Question: How can i do? With NetLabel? SECMARK? I need to develop a new policy? Is there a refpolicy like a template? Is not possible? After some read on many blogs/books/SELinux site, i did a merge of these informations, and i found a solution for my problem. - Environment Example: we have an environment where there are two network interface, the first for public network, the second for internal network. And we don’t want a user called “myuser” (sysadm_r) after login from public interface, can jump trough internal network interface. - Solution step-by-step: 1. We need to create two new types, the first for internal interface, and another for packet_internal_interface. § My policy is this: policy_module(telecom,1.0) #I declare my types type telecom_netif_mgmt_t; #type for internal network interface type telecom_netif_mgmt_packet_t; #type for packet of internal network interface 2. After compile and install this policy, you have a new two types that you can check with seinfo –t |grep <yourtype> 3. Install this package (for redhat/centos/fedora): § yum –y install netlabel_tools #is needed for manage Network Labeling 4. Now you need to label your network internal interface with semanage command: § semanage interface -a -t telecom_netif_mgmt_t eth0 #with this we label the interface § semanage interface –l #with this we check it § 5. Is moment to link this with Network Labeling trough netlabelctl command: § netlabelctl unlbl add interface:eth0 address:10.23.130.131 label:system_u:object_r:telecom_netif_mgmt_packet_t:s0 #we are setting all unlabeled packets flow for eth0 are labeled with telecom_netif_mgmt_packet_t · N.B.: address: 10.23.130.131 must be the static ip address of internal network interface § netlabelctl unlbl list #for check · you should must see this output: accept:on interface:eth0,address:10.23.130.131/32,label:"system_u:object_r:telecom_netif_mgmt_packet_t:s0" 6. Now we must to allow domains that we need can use this interface like unconfined_t (default root user) § We need to modify our simple policy below with this delta: policy_module(telecom,1.0) #I declare my types type telecom_netif_mgmt_t; #type for internal network interface type telecom_netif_mgmt_packet_t; #type for packet of internal network interface allow unconfined_t telecom_netif_mgmt_t : netif { tcp_recv tcp_send udp_recv udp_send ingress egress } ; #This allow unconfined_t (root user for example) to use internal network interface (egress, so the OUT traffic) – for comodity i allow all permissions allow unlabeled_t telecom_netif_mgmt_t : netif { tcp_recv tcp_send udp_recv udp_send ingress egress}; # This allow unlabeled_t (all response from – to) to pass troughe internal network interface (ingress, so the IN traffic) – for comodity i allow all permissions 7. So, now unconfined_t is allowed, but myuser_t (our myuser user)is not allowed, so we need only to try and see what happen: § While i launch a ping trough myuser (root restricted shell): · · We see also audit.log: · · We can see that our specific domaind (telecom_sysadm_t) can’t use and jump in the internal network interface (eth0) Problem SOLVED! I hope that this mini guide, can help someone. If there are any improvement, that someone can give me, i’m here ready to improve. Sorry in advance, if this guide is not write with an optimal english. Thanks, Maurizio Pagani (LordFire in #SELinux) -----Messaggio originale----- On Fri, Jun 12, 2015 at 4:34 PM, Maurizio Pagani <pag.maurizio@xxxxxxxxx> wrote: > Sure!!! That help!! However i solved yet my problem, but i though > "maybe i should must write a small guide/solution to list for share my problem." > > Right? I'm glad to hear that you've resolved your problem, and I think a short description of your problem as well as how you solved it would be very welcome on the list. -- paul moore
|
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
