Label eth0 with a MCS security category?
James Morris
jmorris at namei.org
Mon Aug 24 01:51:26 UTC 2009
On Fri, 21 Aug 2009, Jason Shaw wrote:
> In FC-11, under the targeted policy, is it possible to label an ethernet
> interface (such as eth0, eth1) with a specific MCS category?
>
> Example:
> 1) Use semanage to assign user1 to s0:c5
> 3) Assign eth0 to s0:c4 (Can this be done?)
> 4) Assign eth1 to s0:c5
>
> Desired result: if user1 tries to ping -I eth1 <ip_address> the ping command
> will work (as both eth1 and user1 have category c5). If user1 tries to ping
> -I eth0 <ip_address>, the ping command will not work (category mismatch
> between user and eth1).
It should be possible to do this via iptables and SECMARK.
i.e. match all packets on ethN and label with the MCS category then use
the SELinux packet flow policy rules.
I haven't looked at this stuff for a while, so cc'ing Paul Moore, who
maintains the code.
--
James Morris
<jmorris at namei.org>
More information about the fedora-selinux-list
mailing list