Limiting IPC with SELinux?

[Stephen Smalley]

On Thu, 2005-04-14 at 17:31 -0400, Stephen Smalley wrote:
> You can control network communication (loopback or otherwise) via the
> permission checks between the sending socket security context and the
> security contexts of the network interface, the destination host, and
> the destination port.  These are the netif and node tcp_send permissions
> and the tcp_socket send_msg permission.  Sockets are labeled in
> accordance with the creating process, so you just need to define a
> domain for eclipse.

BTW, these outbound network permission checks are described in
http://www.nsa.gov/selinux/papers/module/x2324.html

And going back to your original question, for INET communication, you
can't truly do process-to-process permission checks (or even socket-to-
peersocket permission checks) because we don't presently have labeled
networking support (i.e. labeled network buffers and packets).  There
was experimental support for such labeled networking in the older
SELinux (courtesy of James Morris), but the necessary hooks and security
fields to support it were not accepted into Linux 2.6.  Trent Jaeger of
IBM has more recently implemented implicit packet labeling via IPSEC
security associations for SELinux, but I don't think you need that for
what you describe; the existing permission checks based on network
interface, host, and port should be sufficient.

-- 
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency