<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7654.12">
<TITLE>how to restrict a SOCK_RAW by interface</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>Hello,<BR>
<BR>
I am trying to restrict an application to using only some interfaces on the system. I have defined a new type and assigned the interface on my RHEL5.4-x64 system to the new type with semanage. The system indicates that the interface is now configured.<BR>
# semanage interface -l<BR>
SELinux Interface Context<BR>
<BR>
eth1 system_u:object_r:iface_test_t:s0<BR>
This does restrict applications like tcpdump or wireshark from listing the interface that was configured.<BR>
# tcpdump -D<BR>
1.peth0<BR>
2.virbr0<BR>
3.vif0.0<BR>
4.eth0<BR>
5.xenbr0<BR>
6.eth2<BR>
7.eth3<BR>
8.any (Pseudo-device that captures on all interfaces)<BR>
9.lo<BR>
<BR>
My problem comes that my application can still open eth1 and read and write packets to this interface.<BR>
The application is opening a socket as SOCK_RAW then binding with a struct sockaddr_LL that has the ssll_ifindex field configured with the index of ETH1.<BR>
How do I write a selinux policy to restrict this application from using some interfaces.<BR>
<BR>
<BR>
Thanks<BR>
James Cernak<BR>
<James.Cernak`at`ngc.com><BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>