Hello,
Sorry typo it was intended to be eth1.
I just checked again. Apol shows iface_test_t having 0 attributes and 0 rule match.
# getenforce
Enforcing
# cat selinuc/compat_net
1
# semanage interface -l
SELinux Interface Context
eth1 system_u:object_r:iface_test_t:s0
# grep iface_test_t *.te
type iface_test_t;
My app still can restart connect a socket to eth1 and read and write to eth1;
James
-----Original Message-----
From: Stephen Smalley [mailto:sds@tycho.nsa.gov]
Sent: Wed 12/16/2009 9:02 AM
To: Cernak, James E (IS)
Cc: fedora-selinux-list(a)redhat.com
Subject: RE: how to restrict a SOCK_RAW by interface
On Mon, 2009-12-14 at 16:56 -0600, Cernak, James E (IS) wrote:
Hello,
Thanks for the hint, However it does not solve my problem I still can
read from eth0.
eth0 or eth1? Your example showed eth1 configured as iface_test_t.
I did have to add allow rules for netif_t:netif but my policy still
does not allow iface_test_t.
Hmmm..are you sure? Did you declare any type attributes for
iface_test_t? Use sesearch or apol to confirm that there are no allow
rules to it in the final binary policy.
James
-----Original Message-----
From: Stephen Smalley [mailto:sds@tycho.nsa.gov]
Sent: Mon 12/14/2009 1:49 PM
To: Cernak, James E (IS)
Cc: fedora-selinux-list(a)redhat.com
Subject: Re: how to restrict a SOCK_RAW by interface
On Mon, 2009-12-14 at 13:29 -0600, Cernak, James E (IS) wrote:
> Hello,
>
> I am trying to restrict an application to using only some interfaces
> on the system. I have defined a new type and assigned the interface
on
> my RHEL5.4-x64 system to the new type with semanage. The system
> indicates that the interface is now configured.
> # semanage interface -l
> SELinux Interface Context
>
> eth1
system_u:object_r:iface_test_t:s0
> This does restrict applications like tcpdump or wireshark from
listing
> the interface that was configured.
> # tcpdump -D
> 1.peth0
> 2.virbr0
> 3.vif0.0
> 4.eth0
> 5.xenbr0
> 6.eth2
> 7.eth3
> 8.any (Pseudo-device that captures on all interfaces)
> 9.lo
>
> My problem comes that my application can still open eth1 and read
and
> write packets to this interface.
> The application is opening a socket as SOCK_RAW then binding with a
> struct sockaddr_LL that has the ssll_ifindex field configured with
the
> index of ETH1.
> How do I write a selinux policy to restrict this application from
> using some interfaces.
>
In RHEL5 (Linux 2.6.18), you might need to enable compat_net (echo 1
> /selinux/compat_net or boot with selinux_compat_net=1 on the kernel
command line).
--
Stephen Smalley
National Security Agency
--
Stephen Smalley
National Security Agency