default deny for uncofined_t using targeted?

Daniel J Walsh dwalsh at redhat.com
Tue Dec 13 03:39:17 UTC 2005 

Steve Brueckner wrote:
> Stephen Smalley wrote:
>   
>> On Fri, 2005-11-18 at 15:17 +0000, Paul Howarth wrote:
>>     
>>> Won't that kill all network access, including via localhost, rather
>>> than just eth0 access?
>>>       
>> Well, yes, good point ;)
>>
>> Also looks like Dan reworked the old netifcon statements and netif
>> types as part of the network macro work. 
>>
>> Ok, so one approach might be to:
>> - Add a netifcon statement to policy/net_contexts (between the
>> 	portcon entries and the nodecon entries) to distinguish eth0:
>> netifcon eth0 system_u:object_r:netif_eth0_t
>> 	system_u:object_r:unlabeled_t - Add the type to
>> policy/types/network.te (or anywhere in the policy): type
>> 	netif_eth0_t, netif_type; - Change the allow rule in
>> unconfined_domain from allow $1 netif_type:netif *; 
>> to:
>> 	allow $1 netif_t:netif *;
>> so that unconfined_t no longer gets access to all netif types, just
>> the default one (which covers loopback). 
>>
>> Looks like macros/network_macros.te already limits itself to
>> netif_t:netif, so it will also cease granting access to eth0 when you
>> make the above changes without needing to modify the macro itself.  
>>     
>
> Well this seemed to be working, but then something strange happened.  I
> wanted ssh to work over eth0, so I added this to domains/program/ssh.te:
> 	auditallow sshd_t netif_type:netif *;
> 	allow sshd_t netif_type:netif *;
>
> This single change allowed ssh to use eth0, but apparently it also allows
> anything in unconfined_t to access eth0 also!  For example, when I run nmap
> 192.168.1.109 it is no longer blocked:
>
> type=AVC msg=audit(1134421016.167:1744): avc: granted { rawip_send } for
> pid=2854 comm="nmap" saddr=192.168.1.80 src=55724 daddr=192.168.1.209
> dest=1502 netif=eth0 scontext=root:system_r:unconfined_t
> tcontext=system_u:object_r:netif_eth0_t tclass=netif
>
> Am I missing something fundamental or is this a bug?  It seems to me that
> giving sshd_t access to eth0 shouldn't also cause everyone in unconfined_t
> to have access to eth0.
>
>   
sshd_t is an alias for unconfined_t, in targeted policy.
> Thanks for your help so far,
>
> Stephen Brueckner, ATC-NY
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>   


--

More information about the fedora-selinux-list mailing list