netif labelling

Mr Dash Four mr.dash.four at googlemail.com
Sun Aug 29 16:02:57 UTC 2010 

> I think you indeed have to declare new network interface types if you
> want to differentiate between the various network interfaces in targeted
> policy using network_interface()
>   
This is what is defined in corenetwor.te.m4:

#
# network_interface(if_name,linux_interface,mls_sensitivity)
#
define(`network_interface',`
gen_require(``type unlabeled_t;'')
type $1_netif_t alias netif_$1_t, netif_type;
declare_netifs($1_netif_t,shift($*))
')

So, by that I am assuming that if I include 
'network_interface(tun0,tun0,s0)' (in corenetwork.te.in instead of 's0' 
there is 's0 - mls_systemhigh' - does that matter?) in my policy file 
this is all I need to do, right?

Also, as part of the policy I wish to enable/restrict the program to 
connect on mysqld port, but ONLY on the local (lo) interface and then 
listen/bind on a predefined port but on the tun0 interface. How do I do 
that? There are 2 relevant macros in corenetwork.te.m4 for this:

corenet_tcp_bind_voip_sandbox_port(voip_sandbox_t)
corenet_tcp_connect_mysqld_port(voip_sandbox_t)

which are taken from:

########################################
## <summary>
##    Bind TCP sockets to the $1 port.
## </summary>
## <param name="domain">
##    <summary>
##    Domain allowed access.
##    </summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_tcp_bind_$1_port',`
    gen_require(`
        $3 $1_$2;
    ')

    allow dollarsone $1_$2:tcp_socket name_bind;
    $4
')

and

########################################
## <summary>
##    Make a TCP connection to the $1 port.
## </summary>
## <param name="domain">
##    <summary>
##    Domain allowed access.
##    </summary>
## </param>
#
interface(`corenet_tcp_connect_$1_port',`
    gen_require(`
        $3 $1_$2;
    ')

    allow dollarsone $1_$2:tcp_socket name_connect;
')


For me it is clear that $1 is the port type (voip_sandbox and mysqld in 
my case) and 'dollarsone' expands to the parameter in brackets 
(voip_sandbox_t in my case), but what are $2, $3 and $4 (in the 1st 
macro above) and what values to these have? The <param> tag does not 
describe any of these and I cannot find any reference anywhere! Would 
SLIDE have picked up those?

If I manage to 'decipher' these I may restrict the above statements to 
the proper net device type if there is no suitable other macro found, 
but as it stands I am a bit stuck!

More information about the selinux mailing list