New networking controls - FYI

Mantaray mantaray_1 at cox.net
Sun Feb 7 00:19:00 UTC 2010 

List members,

I have recently upgraded to the 2.6.30 kernel, and I am now using the 
new networking controls.  I have noticed difficulties that seem to me to 
be similar difficulties in some other recent posts, so I wanted to make 
a brief post regarding the matter.
I tested the packet rules by creating packet labels for the local ipv6 
(::1), my printer, my router, and general internet addresses.  I did not 
give my son's user permission to access the printer.  When his user 
attempted to access the printer, the application being used would hang 
and need to be shut down.  Allowing local ipv6 packets to be 
sent/received by his user prevented the application from hanging, but 
also allowed his user to access the printer - with no packet access 
allowed to the printer.  When this did not restrict his access, I added 
a constraint in the constraints file:

constrain packet { recv send }
(
	r1 != his_user_name_r
	or t2 == allow_packet
);

This constraint prevented access to the local ipv6 packets until I added 
the attribute type to those packets, but access to the printer was not 
affected.

For now my packet rules for Internet access appear to work and I am 
limiting printer access through the print service directly.  I do not 
presently have time to troubleshoot the matter, so for now this will do 
as a solution; but I am curious why the packet controls (especially 
combined with the constraint) are not preventing printer access.

I know that there are other controls that are intended to restrict 
network access, and I have not yet had the time to explore using these 
controls.  I am hopeful that by combining these controls with the 
SECMARK controls, I will have better control of network traffic; however 
one recent post (by Jason on February 2) seems to indicate that there 
may still be some difficulty getting these other controls to properly 
restrict network traffic as well: "I found that my test app (with the 
allow rule below), could still read and display packet data coming in on 
any interface even with all interfaces assigned a unique peer_t...."

I really appreciate the efforts of everyone involved in the development 
of SELinux, and I hope my comments will help the developers to make the 
new controls as effective and easy to implement as the previous controls 
were.


-Ken-

More information about the selinux mailing list