Steve Brueckner wrote:
Stephen Smalley wrote:
> On Fri, 2005-11-18 at 15:17 +0000, Paul Howarth wrote:
>
>> Won't that kill all network access, including via localhost, rather
>> than just eth0 access?
>>
> Well, yes, good point ;)
>
> Also looks like Dan reworked the old netifcon statements and netif
> types as part of the network macro work.
>
> Ok, so one approach might be to:
> - Add a netifcon statement to policy/net_contexts (between the
> portcon entries and the nodecon entries) to distinguish eth0:
> netifcon eth0 system_u:object_r:netif_eth0_t
> system_u:object_r:unlabeled_t - Add the type to
> policy/types/network.te (or anywhere in the policy): type
> netif_eth0_t, netif_type; - Change the allow rule in
> unconfined_domain from allow $1 netif_type:netif *;
> to:
> allow $1 netif_t:netif *;
> so that unconfined_t no longer gets access to all netif types, just
> the default one (which covers loopback).
>
> Looks like macros/network_macros.te already limits itself to
> netif_t:netif, so it will also cease granting access to eth0 when you
> make the above changes without needing to modify the macro itself.
>
Well this seemed to be working, but then something strange happened. I
wanted ssh to work over eth0, so I added this to domains/program/ssh.te:
auditallow sshd_t netif_type:netif *;
allow sshd_t netif_type:netif *;
This single change allowed ssh to use eth0, but apparently it also allows
anything in unconfined_t to access eth0 also! For example, when I run nmap
192.168.1.109 it is no longer blocked:
type=AVC msg=audit(1134421016.167:1744): avc: granted { rawip_send } for
pid=2854 comm="nmap" saddr=192.168.1.80 src=55724 daddr=192.168.1.209
dest=1502 netif=eth0 scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:netif_eth0_t tclass=netif
Am I missing something fundamental or is this a bug? It seems to me that
giving sshd_t access to eth0 shouldn't also cause everyone in unconfined_t
to have access to eth0.
sshd_t is an alias for unconfined_t, in targeted policy.
Thanks for your help so far,
Stephen Brueckner, ATC-NY
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--