default deny for uncofined_t using targeted?
Stephen Smalley
sds at tycho.nsa.gov
Fri Nov 18 15:39:53 UTC 2005
On Fri, 2005-11-18 at 15:17 +0000, Paul Howarth wrote:
> Won't that kill all network access, including via localhost, rather than
> just eth0 access?
Well, yes, good point ;)
Also looks like Dan reworked the old netifcon statements and netif types
as part of the network macro work.
Ok, so one approach might be to:
- Add a netifcon statement to policy/net_contexts (between the portcon
entries and the nodecon entries) to distinguish eth0:
netifcon eth0 system_u:object_r:netif_eth0_t system_u:object_r:unlabeled_t
- Add the type to policy/types/network.te (or anywhere in the policy):
type netif_eth0_t, netif_type;
- Change the allow rule in unconfined_domain from
allow $1 netif_type:netif *;
to:
allow $1 netif_t:netif *;
so that unconfined_t no longer gets access to all netif types, just
the default one (which covers loopback).
Looks like macros/network_macros.te already limits itself to
netif_t:netif, so it will also cease granting access to eth0 when you
make the above changes without needing to modify the macro itself.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list