using selinux to allow only certain hosts or networks

Stephen Smalley sds at tycho.nsa.gov
Thu Dec 11 19:53:50 UTC 2008 

On Thu, 2008-12-11 at 14:44 -0500, Doug Sikora wrote:
> thanks Stephen, 
> 
> Is there another option for sending/receiving packets ?

Sending/receiving of packets is controlled by other permission checks.
There are the secmark-based checks (label packets via iptables, use
the :packet send/recv permissions to control), and there are the labeled
networking checks (configure netlabel or labeled ipsec and apply their
checks).

> In this situation , I would like both.
> 
> I did get this information from Forrest (Thanks again Forrest) concerning the base policy. Once I reviewed the source code it wasn't too bad to figure out. It makes a good reference. I am adding it to this thread.

If your version of semanage supports the node contexts, then you
shouldn't have to rebuild your base policy.

> #########BEGIN
> 
> To limit this, you have to recompile the base policy package and define
> a new node name.
> 
> For instance, the inaddr_any_node_t is defined:
> 
> type inaddr_any_node_t alias node_inaddr_any_t, node_type;
> nodecon 0.0.0.0 255.255.255.255 system_u:object_r:inaddr_any_node_t
> 
> 
> Similarly, you could do the same thing for a new type:
> 
> type blue_node_t, node_type;
> nodecon 10.0.5.1 255.255.255.255 system_u:object_r:blue_node_t
> 
> The problem in implementing this, is that you have to have the exact IP
> address that will be used in the field.  Also, changing the base policy
> means you have to redo this change every time there is a new policy
> provided by Red Hat (as an update).
> 
> ########END
> 
> 
> 
> Doug 
> 
> ----- Original Message -----
> From: "Stephen Smalley" <sds at tycho.nsa.gov>
> To: "Doug Sikora" <dsikora at redhat.com>
> Cc: fedora-selinux-list at redhat.com
> Sent: Thursday, December 11, 2008 2:32:48 PM GMT -05:00 US/Canada Eastern
> Subject: Re: using selinux to allow only certain hosts or networks
> 
> On Tue, 2008-12-09 at 09:15 -0500, Doug Sikora wrote:
> > The below rules came from audit2allow,
> > 
> > allow test_t inaddr_any_node_t:tcp_socket node_bind;
> > allow test_t inaddr_any_node_t:udp_socket node_bind;
> > 
> > Instead of allowing "any_node" I would like to limit this to specific hosts and or networks.
> > 
> > Does anyone know the syntax for this?
> 
> Note that the check above is only dealing with binding to an address,
> not sending/receiving packets.  Is binding what you want to limit to
> specific addresses?
> 
> If so, you need to define types for the addresses (via local policy
> module) and map the addresses to those types (via semanage node).
> 
-- 
Stephen Smalley
National Security Agency

More information about the selinux mailing list