Limiting IPC with SELinux?
Thomas Bleher
bleher at informatik.uni-muenchen.de
Fri Apr 22 18:46:20 UTC 2005
* Steve Brueckner <steve at atc-nycorp.com> [2005-04-22 19:01]:
> I've been experimenting with the SELinux networking permissions, based on
> last week's emails on this topic. I've run into a problem:
>
> Stephen Smalley wrote:
> > Well, SELinux does allow you to limit what processes can bind to what
> > ports, so if the port falls within a well-defined range and you can
> > exclude others from that port range without breaking functionality,
> > you can indirectly achieve the process-to-process relationship in
> > that manner. If not, then I guess you need labeled networking.
> >
> >> On Fri, 2005-04-15 at 13:47 -0400, Steve Brueckner wrote:
> >> For my application, I can't deny any process the right to bind to
> >> whatever port it wants.
> >
> > This seems to be the key limitation. The question is why?
>
> My application is trying to segregate the machine into two protection
> domains, and I don't have control over the programs that may run in either
> domain. I need to allow processes to communicate via loopback networking
> intra-domain but not inter-domain.
[ lots of good observations snipped ]
I had an idea a while ago which may help you. I wanted to implement it
myself but don't have time to do any kernel-hacking currently, so if you
want to try it, feel free.
My idea was to build an iptables modules similar to the "Owner match"
module which matches locally generated packets against a specific domain.
That way you could probably achieve most of what you want.
One problem here is: how do we cleanly match on security context? All
the logic should be in the security server and controllable by policy.
The most sane way I came up with is this:
Declare a new class "iptables" (or "netfilter") with one permission
"match". Then put this into policy:
allow domain self:iptables match;
The usermode iptables code passes a complete security context into the
kernel which is converted into a sid internally. Now everytime the
iptables module is called on a packet it asks the avc if <sid of sending
packet>:<sid passed into kernel>:IPTABLES__MATCH is allowed in the
policy.
I do not know if this is the best approach but it does allow matching on
specific domains, on specific contexts (if the constraints are adjusted)
or on a group of domains (you could add a dummy type all_userdomains_t
and add "allow userdomain all_userdomains_t:iptables match;" or
something like that and then match on all_userdomains_t in the iptables
rule)
I think such a module would be very useful. For example, the admin may
want to specify that mozilla may only talk to the internal proxy server.
Of course, this depends on the fact that such a module is actually
doable and sane. I looked at the code but I am no kernel hacker so I
would appreciate any insight/ideas.
Thomas
--
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA D09E C562 2BAE B2F4 ABE7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050422/c8edad8f/attachment.sig>
More information about the fedora-selinux-list
mailing list