<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7654.12"> <TITLE>RE: how to restrict a SOCK_RAW by interface</TITLE> </HEAD> <BODY>  Hello, Thanks for the hint, However it does not solve my problem I still can read from eth0. I did have to add allow rules for netif_t:netif but my policy still does not allow iface_test_t. James -----Original Message----- From: Stephen Smalley [<A HREF="mailto:sds@tycho.nsa.gov">mailto:sds@tycho.nsa.gov</A>] Sent: Mon 12/14/2009 1:49 PM To: Cernak, James E (IS) Cc: fedora-selinux-list@redhat.com Subject: Re: how to restrict a SOCK_RAW by interface On Mon, 2009-12-14 at 13:29 -0600, Cernak, James E (IS) wrote: > Hello, > > I am trying to restrict an application to using only some interfaces > on the system. I have defined a new type and assigned the interface on > my RHEL5.4-x64 system to the new type with semanage. The system > indicates that the interface is now configured. > # semanage interface -l > SELinux Interface Context > > eth1 system_u:object_r:iface_test_t:s0 > This does restrict applications like tcpdump or wireshark from listing > the interface that was configured. > # tcpdump -D > 1.peth0 > 2.virbr0 > 3.vif0.0 > 4.eth0 > 5.xenbr0 > 6.eth2 > 7.eth3 > 8.any (Pseudo-device that captures on all interfaces) > 9.lo > > My problem comes that my application can still open eth1 and read and > write packets to this interface. > The application is opening a socket as SOCK_RAW then binding with a > struct sockaddr_LL that has the ssll_ifindex field configured with the > index of ETH1. > How do I write a selinux policy to restrict this application from > using some interfaces. > In RHEL5 (Linux 2.6.18), you might need to enable compat_net (echo 1 > /selinux/compat_net or boot with selinux_compat_net=1 on the kernel command line). -- Stephen Smalley National Security Agency </BODY> </HTML>