Packets are unlabeled over a labeled network interface
Stephen Smalley
sds at tycho.nsa.gov
Mon Jul 7 14:43:44 UTC 2008
On Mon, 2008-07-07 at 10:01 +0200, Christian Kuester wrote:
> Hi List,
>
> I'm trying to use network interface labeling with Fedora 8. But it
> doesn't behave like I would assume, so it seems that I'm doing something
> wrong. Here's the way I did it:
>
> I added a type blacknic_netifcon_t in a local module by
> type blacknic_netifcon_t;
>
> and
>
> # semanage interface -a -t blacknic_netifcon_t eth1
>
> results of this command seem correct since:
> # seinfo --netif
> Netifcon: 2
> netifcon eth1 system_u:object_r:blacknic_netifcon_t:s0
> system_u:object_r:blacknic_netifcon_t:s0
> netifcon lo system_u:object_r:lo_netif_t:s0 - s15:c0.c1023
> system_u:object_r:unlabeled_t:s0 - s15:c0.c1023
>
> But packets over this interface are still unlabeled:
> type=AVC msg=audit(1215170990.011:689777822): avc: denied { send } for
> pid=30988 comm="socat" saddr=192.168.100.54 src=3 daddr=78.xx.xx.xx
> dest=1024 netif=eth1 scontext=user_u:user_r:exe_t:s0
> tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=packet
tclass=packet corresponds to secmark, which is independent/orthogonal of
labeled networking.
Also, the default message/packet SID on a netif is not presently used
for anything.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list