Better management of dynamic networks?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- To: SElinux list <selinux@xxxxxxxxxxxxxxx>
- Subject: Better management of dynamic networks?
- From: Topi Miettinen <toiwoton@xxxxxxxxx>
- Date: Sat, 6 Jun 2020 15:27:12 +0300
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.1
Hi,
I have a SELinux setup for networks, where packets, nodes, interfaces
and peers are labeled and subject to TE rules. In general the system
works very well and I'm thankful to be able to control network access
for each individual application in great detail.
I'm still learning SELinux, so maybe I have missed something, but it
seems to me that these systems have been designed with rather static
network configuration in mind. For example, I have classified IPv4 and
most of IPv6 addresses to loopback, localnet (e.g. 10.0.0.0/8),
multicast and "internet" node types. This can be used with a fixed set
of TE rules. But when using a laptop, actually the rules for local
network should depend on whether I'm at home, at a friend's place or
some random public network and then there are VPNs.
The interfaces and peers are labeled with netlabelctl, but the
interfaces change when kernel modules are loaded and removed for
interfaces and it's also possible to plug in a USB network adapter any
time. With Netlabel it's possible to label peers without modifying the
policy (for example during boot), but `semanage node` and `semanage
interface` require writable policy. Netlabelctl can't label an interface
if the interface does not exist yet, but I've opened a PR for a possible
workaround.
The tools don't support for example pattern matching for interfaces. It
would be nice to assign SELinux labels based on various properties of
the interface and network, for example with udevd, systemd-networkd or
NetworkManager, without requiring policy rebuild.
A minor issue is that reference policy also has rules which allow
network access when using the default initial types (netif_t, node_t).
It could be preferrable that new network interfaces would not get labels
which allow access. In my case I've tried to make sure that the initial
types are never used. Perhaps the related rules could simply be made
optional.
I suppose using CIPSO/CALIPSO/Labeled IPsec can solve some of these
issues when you can positively identify the other parties in a network,
but they are not fit for general Internet access or when the network is
friendly but not under your control.
So, what could be done to lift these restrictions (if they really exist
and I haven't missed something obvious)?
-Topi
[Index of Archives]
[Selinux Refpolicy]
[Linux SGX]
[Fedora Users]
[Fedora Desktop]
[Yosemite Photos]
[Yosemite Camping]
[Yosemite Campsites]
[KDE Users]
[Gnome Users]
