On 01/14/2010 03:08 PM, Jason Shaw wrote:
I need help understanding if SELinux supports restricting a confined application from binding to specific network interfaces. I cannot seem to make this work under F11 and F12 (using targeted, mls, and reference policies), or under RHEL 5.3U3 targeted.
Details:
- I have a system with two network interfaces: eth0 and eth1.
- I have an application that must only be allowed to read data from eth0
(raw and tcp).
- I do not need to label packets.
Here's what I have tried
- In a new policy module, I create new types: myApp_exec_t, myApp_t,
myApp_eth0_t, myApp_eth1_t. 2) I use semanage -fcontext to label my application's executable file as myApp_exec_t 3) I assign eth0 with a new type: 'semanage interface -a -t myApp_eth0_t eth0' 4) I assign eth1 with a new type: 'semanage interface -a -t myApp_eth1_t eth1' 5) In my policy module, I allow the following: "allow myApp_t self:capability net raw", and "allow myApp_t self:tcp_socket { accept read }" 6) I verify that when I execute my application, using ps -efZ it is running in the myApp_t domain (has transitioned properly from unconfined_t)
The problem is, my app can read raw or tcp data from either eth0 or eth1 even though both interfaces have been assigned different types using semanage -interface.
Is this because 'allow myApp_t self:capability net_raw' does not distinguish between network interfaces? Is my understanding of semanage -interface incorrect - shouldn't labeling the interface result in no ability to use the interface unless explicitly allowed?
This is how you can , i think, declare a netif type:
[dgrift@localhost Desktop]$ cat mynetif.te policy_module(mynetif, 1.0.0)
require { attribute netif_type; } type netif_test_t, netif_type;
You will need to label the netif manually though. unless you add it to corenetwork.te.in , with a context specification
[dgrift@localhost Desktop]$ sudo semanage interface -a -t netif_test_t -r s0-s0:c0.c1023 eth0 [dgrift@localhost Desktop]$ sudo semanage interface -l SELinux Interface Context
eth0 system_u:object_r:netif_test_t:s0-s0:c0.c1023
I assume this should also work for raw as there are interfaces suggesting it:
# Summary: Receive raw IP packets on generic interfaces. # Parameter domain #The type of the process performing this action. interface(`corenet_raw_receive_generic_if',` gen_require(` type netif_t; ')
allow $1 netif_t:netif { rawip_recv ingress }; ')
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux