how to restrict a SOCK_RAW by interface

Cernak, James E (IS) James.Cernak at ngc.com
Thu Dec 17 13:56:11 UTC 2009 

Hello,

Sorry typo it was intended to be eth1.

I just checked again. Apol shows iface_test_t having 0 attributes and 0 rule match. 
   # getenforce 
   Enforcing
   # cat selinuc/compat_net  
   1
   # semanage interface -l
   SELinux Interface              Context
   eth1                           system_u:object_r:iface_test_t:s0
   # grep iface_test_t *.te
   type iface_test_t;

My app still can restart connect a socket to eth1 and read and write to eth1;

James


-----Original Message-----
From: Stephen Smalley [mailto:sds at tycho.nsa.gov]
Sent: Wed 12/16/2009 9:02 AM
To: Cernak, James E (IS)
Cc: fedora-selinux-list at redhat.com
Subject: RE: how to restrict a SOCK_RAW by interface
 
On Mon, 2009-12-14 at 16:56 -0600, Cernak, James E (IS) wrote:
> Hello,
> 
> Thanks for the hint, However it does not solve my problem I still can
> read from eth0.

eth0 or eth1?  Your example showed eth1 configured as iface_test_t.
> 
> I did have to add allow rules for netif_t:netif but my policy still
> does not allow iface_test_t.

Hmmm..are you sure?  Did you declare any type attributes for
iface_test_t?  Use sesearch or apol to confirm that there are no allow
rules to it in the final binary policy.

> 
> James
> 
> 
> -----Original Message-----
> From: Stephen Smalley [mailto:sds at tycho.nsa.gov]
> Sent: Mon 12/14/2009 1:49 PM
> To: Cernak, James E (IS)
> Cc: fedora-selinux-list at redhat.com
> Subject: Re: how to restrict a SOCK_RAW by interface
> 
> On Mon, 2009-12-14 at 13:29 -0600, Cernak, James E (IS) wrote:
> > Hello,
> >
> > I am trying to restrict an application to using only some interfaces
> > on the system. I have defined a new type and assigned the interface
> on
> > my RHEL5.4-x64 system to the new type with semanage. The system
> > indicates that the interface is now configured.
> >      # semanage interface -l
> >      SELinux Interface              Context
> >
> >      eth1
> system_u:object_r:iface_test_t:s0
> > This does restrict applications like tcpdump or wireshark from
> listing
> > the interface that was configured.
> >      # tcpdump -D
> >      1.peth0
> >      2.virbr0
> >      3.vif0.0
> >      4.eth0
> >      5.xenbr0
> >      6.eth2
> >      7.eth3
> >      8.any (Pseudo-device that captures on all interfaces)
> >      9.lo
> >
> > My problem comes that my application can still open eth1 and read
> and
> > write packets to this interface.
> > The application is opening a socket as SOCK_RAW then binding with a
> > struct sockaddr_LL that has the ssll_ifindex field configured with
> the
> > index of ETH1.
> > How do I write a selinux policy to restrict this application from
> > using some interfaces.
> >
> 
> In RHEL5 (Linux 2.6.18), you might need to enable compat_net (echo 1
> > /selinux/compat_net or boot with selinux_compat_net=1 on the kernel
> command line).
> 
> --
> Stephen Smalley
> National Security Agency
> 
> 
> 
> 
-- 
Stephen Smalley
National Security Agency


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091217/62f68abe/attachment.htm>

More information about the fedora-selinux-list mailing list