default deny for uncofined_t using targeted?

Steve Brueckner steve at atc-nycorp.com
Mon Dec 12 21:03:30 UTC 2005 

Stephen Smalley wrote:
> On Fri, 2005-11-18 at 15:17 +0000, Paul Howarth wrote:
>> Won't that kill all network access, including via localhost, rather
>> than just eth0 access?
> 
> Well, yes, good point ;)
> 
> Also looks like Dan reworked the old netifcon statements and netif
> types as part of the network macro work. 
> 
> Ok, so one approach might be to:
> - Add a netifcon statement to policy/net_contexts (between the
> 	portcon entries and the nodecon entries) to distinguish eth0:
> netifcon eth0 system_u:object_r:netif_eth0_t
> 	system_u:object_r:unlabeled_t - Add the type to
> policy/types/network.te (or anywhere in the policy): type
> 	netif_eth0_t, netif_type; - Change the allow rule in
> unconfined_domain from allow $1 netif_type:netif *; 
> to:
> 	allow $1 netif_t:netif *;
> so that unconfined_t no longer gets access to all netif types, just
> the default one (which covers loopback). 
> 
> Looks like macros/network_macros.te already limits itself to
> netif_t:netif, so it will also cease granting access to eth0 when you
> make the above changes without needing to modify the macro itself.  

Well this seemed to be working, but then something strange happened.  I
wanted ssh to work over eth0, so I added this to domains/program/ssh.te:
	auditallow sshd_t netif_type:netif *;
	allow sshd_t netif_type:netif *;

This single change allowed ssh to use eth0, but apparently it also allows
anything in unconfined_t to access eth0 also!  For example, when I run nmap
192.168.1.109 it is no longer blocked:

type=AVC msg=audit(1134421016.167:1744): avc: granted { rawip_send } for
pid=2854 comm="nmap" saddr=192.168.1.80 src=55724 daddr=192.168.1.209
dest=1502 netif=eth0 scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:netif_eth0_t tclass=netif

Am I missing something fundamental or is this a bug?  It seems to me that
giving sshd_t access to eth0 shouldn't also cause everyone in unconfined_t
to have access to eth0.

Thanks for your help so far,

Stephen Brueckner, ATC-NY

More information about the selinux mailing list