netif labelling
Dominick Grift
domg472 at gmail.com
Sun Aug 29 10:44:45 UTC 2010
On 08/29/2010 12:26 AM, Mr Dash Four wrote:
> I am trying to restrict an application I have installed to have access
> to a specific network interface only (tun0).
>
> Are all network interfaces labelled 'automatically' by SELinux with
> 'netif_xx_t' or do I have to label them manually from the policy file?
> If I have to do that manually is it done with the network_interface(...)
> macro?
>
> Also, if I relabel the interface would I have to amend all other
> policies for applications which need access to that interface
> (applications which use the 'generic' naming - netif_t) or is this not
> necessary?
>
> I've seen there is a macro in corenetwork.if.in called
> 'corenet_all_recvfrom_labelled' - is that macro allowing me to receive
> packets from labelled interface?
I think you indeed have to declare new network interface types if you
want to differentiate between the various network interfaces in targeted
policy using network_interface()
The, i think you would have to manually label the interfaces using
semanage i think. or maybe the network_interfaces() interface takes care
of labelling. Not sure
By default most domains are allowed to use any network interface. The
have access to the netif_type network interface attribute that is
assigned to all network interface types (probably via network_interface()
That , i think, probably means that you would have to replace the rules
allowing the domain to use all network interfaces by rules that govern
more specific access to the various network interface types.
You can probably test this by auditing grants.
auditallow domain netif_type:netif *; or something along those lines.
try it i would say.
> Thanks in advance!
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100829/7387d647/attachment.bin
More information about the selinux
mailing list