Assigning a Type to Network Interfaces

Dominick Grift domg472 at gmail.com
Thu Jan 14 14:25:07 UTC 2010 

On 01/14/2010 03:08 PM, Jason Shaw wrote:
>  I need help understanding if SELinux supports restricting a confined
> application from binding to specific network interfaces. I cannot seem to
> make this work under F11 and F12 (using targeted, mls, and reference
> policies), or under RHEL 5.3U3 targeted.
> 
> Details:
> - I have a system with two network interfaces: eth0 and eth1.
> - I have an application that must only be allowed to read data from eth0
> (raw and tcp).
> - I do not need to label packets.
> 
> Here's what I have tried
> 1) In a new policy module, I create new types: myApp_exec_t, myApp_t,
> myApp_eth0_t, myApp_eth1_t.
> 2) I use semanage -fcontext to label my application's executable file as
> myApp_exec_t
> 3) I assign eth0 with a new type: 'semanage interface -a -t myApp_eth0_t
> eth0'
> 4) I assign eth1 with a new type: 'semanage interface -a -t myApp_eth1_t
> eth1'
> 5) In my policy module, I allow the following: "allow myApp_t
> self:capability net raw", and "allow myApp_t self:tcp_socket { accept read
> }"
>  6) I verify that when I execute my application, using ps -efZ it is running
> in the myApp_t domain (has transitioned properly from unconfined_t)
> 
> The problem is, my app can read raw or tcp data from either eth0 or eth1
> even though both interfaces have been assigned different types using
> semanage -interface.
> 
> Is this because 'allow myApp_t self:capability net_raw' does not distinguish
> between network interfaces? Is my understanding of semanage -interface
> incorrect - shouldn't labeling the interface result in no ability to use the
> interface unless explicitly allowed?
> 


This is how you can , i think, declare a netif type:

[dgrift at localhost Desktop]$ cat mynetif.te
policy_module(mynetif, 1.0.0)

require { attribute netif_type; }
type netif_test_t, netif_type;

You will need to label the netif manually though. unless you add it to
corenetwork.te.in , with a context specification

[dgrift at localhost Desktop]$ sudo semanage interface -a -t netif_test_t
-r s0-s0:c0.c1023 eth0
[dgrift at localhost Desktop]$ sudo semanage interface -l
SELinux Interface              Context

eth0
system_u:object_r:netif_test_t:s0-s0:c0.c1023

I assume this should also work for raw as there are interfaces
suggesting it:

# Summary: Receive raw IP packets on generic interfaces.
# Parameter domain
#The type of the process performing this action.
interface(`corenet_raw_receive_generic_if',`
	gen_require(`
		type netif_t;
	')

	allow $1 netif_t:netif { rawip_recv ingress };
')

> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100114/dcba9b48/attachment.bin

More information about the selinux mailing list