On Thu, 2010-01-14 at 07:08 -0700, Jason Shaw wrote:
I need help understanding if SELinux supports restricting a confined application from binding to specific network interfaces. I cannot seem to make this work under F11 and F12 (using targeted, mls, and reference policies), or under RHEL 5.3U3 targeted.
Details:
- I have a system with two network interfaces: eth0 and eth1.
- I have an application that must only be allowed to read data from
eth0 (raw and tcp).
- I do not need to label packets.
Here's what I have tried
- In a new policy module, I create new types: myApp_exec_t, myApp_t,
myApp_eth0_t, myApp_eth1_t. 2) I use semanage -fcontext to label my application's executable file as myApp_exec_t 3) I assign eth0 with a new type: 'semanage interface -a -t myApp_eth0_t eth0' 4) I assign eth1 with a new type: 'semanage interface -a -t myApp_eth1_t eth1' 5) In my policy module, I allow the following: "allow myApp_t self:capability net raw", and "allow myApp_t self:tcp_socket { accept read }" 6) I verify that when I execute my application, using ps -efZ it is running in the myApp_t domain (has transitioned properly from unconfined_t)
The problem is, my app can read raw or tcp data from either eth0 or eth1 even though both interfaces have been assigned different types using semanage -interface.
Is this because 'allow myApp_t self:capability net_raw' does not distinguish between network interfaces? Is my understanding of semanage -interface incorrect - shouldn't labeling the interface result in no ability to use the interface unless explicitly allowed?
The legacy network permission checks were removed in Linux 2.6.30, and even prior to that they had been disabled for a long time by default unless you set /selinux/compat_net to 1. These days you need to use secmark or the newer ingress/egress permission checks to achieve the same effect. Using secmark requires you to configure iptables SECMARK targets to label the packets. Using ingress/egress requires you to configure labeled networking (netlabel or labeled ipsec) and make sure that /selinux/policy_capabilities/network_peer_controls exists and is set to 1 (requires Linux >= 2.6.25 and a policy built with that capability). See: http://paulmoore.livejournal.com/4281.html http://paulmoore.livejournal.com/2128.html