Thanks Stephen, that's really interesting. I can solve my problem another way using a userspace process, it will just be a bit less convenient than using mount. I have a security need to prevent a compromised network process from accessing other network interfaces. Is this scenario also true for other types of file shares that could be mounted, e.g. NFS, FTP (via curlftpfs)? > -----Original Message----- > From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] > Sent: 11 August 2016 16:52 > To: Colin Powers <Colin.Powers@xxxxxxxxx>; SELinux@xxxxxxxxxxxxx; Paul > Moore <paul@xxxxxxxxxxxxxx> > Subject: Re: Restricting network communications of mounted filesystems > > On 08/11/2016 10:31 AM, Colin Powers wrote: > > Hi folks, > > > > I have a question about the way network communications of mounted > filesystems works with SELinux. I wonder if anyone could provide some > insight or a link to somewhere with more information. > > > > So let's say I have a RHEL6 machine with two network interfaces and I want > to be very selective about which process can access which network interface. > > > > I can use iptables SECMARK to label all traffic on eth0 as my_eth0_packet_t > and all traffic on eth1 as my_eth1_packet_t, then grant send/recv > permissions appropriately. > > > > But let's say I want to be able to mount CIFS shares only using eth0. Does > iptables SECMARK work in this scenario? > > If so, what process is actually doing the network communications - what > SELinux type do I need to grant permission to send/recv my_eth0_packet_t? > > If not - how does the network comms work in this scenario and what are > the options to achieve my goal of limiting traffic to eth0? > > Disclaimer: I don't really know how CIFS works, so take this with a > grain of salt. > > Looking at the kernel code, fs/cifs/connect.c calls __sock_create(), > passing 1 for the last argument (kern), so its socket is created as a > kernel-internal socket rather than a user socket. The socket is > therefore labeled with the kernel SID/context rather than any particular > userspace process context, and can be reused for multiple processes. > > The socket layer access control checks are completely skipped on such > sockets (sock_has_perm handles this case specially). The packet layer > access control checks are still applied, but they will always be between > the kernel context and the packet context. > > So I don't think you can enforce this restriction for CIFS traffic on a > per-process basis currently. > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
