how to restrict a SOCK_RAW by interface
Cernak, James E (IS)
James.Cernak at ngc.com
Mon Dec 14 19:29:38 UTC 2009
Hello,
I am trying to restrict an application to using only some interfaces on the system. I have defined a new type and assigned the interface on my RHEL5.4-x64 system to the new type with semanage. The system indicates that the interface is now configured.
# semanage interface -l
SELinux Interface Context
eth1 system_u:object_r:iface_test_t:s0
This does restrict applications like tcpdump or wireshark from listing the interface that was configured.
# tcpdump -D
1.peth0
2.virbr0
3.vif0.0
4.eth0
5.xenbr0
6.eth2
7.eth3
8.any (Pseudo-device that captures on all interfaces)
9.lo
My problem comes that my application can still open eth1 and read and write packets to this interface.
The application is opening a socket as SOCK_RAW then binding with a struct sockaddr_LL that has the ssll_ifindex field configured with the index of ETH1.
How do I write a selinux policy to restrict this application from using some interfaces.
Thanks
James Cernak
<James.Cernak`at`ngc.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091214/92d5bbdb/attachment.htm>
More information about the fedora-selinux-list
mailing list