Hello,
Thanks for the hint, However it does not solve my problem I still can read from eth0.
I did have to add allow rules for netif_t:netif but my policy still does not allow
iface_test_t.
James
-----Original Message-----
From: Stephen Smalley [mailto:sds@tycho.nsa.gov]
Sent: Mon 12/14/2009 1:49 PM
To: Cernak, James E (IS)
Cc: fedora-selinux-list(a)redhat.com
Subject: Re: how to restrict a SOCK_RAW by interface
On Mon, 2009-12-14 at 13:29 -0600, Cernak, James E (IS) wrote:
Hello,
I am trying to restrict an application to using only some interfaces
on the system. I have defined a new type and assigned the interface on
my RHEL5.4-x64 system to the new type with semanage. The system
indicates that the interface is now configured.
# semanage interface -l
SELinux Interface Context
eth1 system_u:object_r:iface_test_t:s0
This does restrict applications like tcpdump or wireshark from listing
the interface that was configured.
# tcpdump -D
1.peth0
2.virbr0
3.vif0.0
4.eth0
5.xenbr0
6.eth2
7.eth3
8.any (Pseudo-device that captures on all interfaces)
9.lo
My problem comes that my application can still open eth1 and read and
write packets to this interface.
The application is opening a socket as SOCK_RAW then binding with a
struct sockaddr_LL that has the ssll_ifindex field configured with the
index of ETH1.
How do I write a selinux policy to restrict this application from
using some interfaces.
In RHEL5 (Linux 2.6.18), you might need to enable compat_net (echo 1
/selinux/compat_net or boot with selinux_compat_net=1 on the kernel
command line).
--
Stephen Smalley
National Security Agency