On Sat, Jun 6, 2020 at 8:27 AM Topi Miettinen <toiwoton@xxxxxxxxx> wrote: > Hi, > > I have a SELinux setup for networks, where packets, nodes, interfaces > and peers are labeled and subject to TE rules. In general the system > works very well and I'm thankful to be able to control network access > for each individual application in great detail. > > I'm still learning SELinux, so maybe I have missed something, but it > seems to me that these systems have been designed with rather static > network configuration in mind ... Yes, historically the SELinux users who cared about labeled networking have typically had a stable network configuration. Or at the very least they haven't discussed problems with a dynamic network configuration. > The interfaces and peers are labeled with netlabelctl, but the > interfaces change when kernel modules are loaded and removed for > interfaces and it's also possible to plug in a USB network adapter any > time. With Netlabel it's possible to label peers without modifying the > policy (for example during boot), but `semanage node` and `semanage > interface` require writable policy. Netlabelctl can't label an interface > if the interface does not exist yet, but I've opened a PR for a possible > workaround. > > The tools don't support for example pattern matching for interfaces. It > would be nice to assign SELinux labels based on various properties of > the interface and network, for example with udevd, systemd-networkd or > NetworkManager, without requiring policy rebuild. I can't say I'm an expert on all the various userspace device managers, network or otherwise, but so long as they can execute an arbitrary command then one should be able to use them to label the device when it is added to the system. Although perhaps we could make this easier with docs and/or tools. I would be curious to hear what the SELinux userspace folks think about this. -- paul moore www.paul-moore.com