Assigning a Type to Network Interfaces

[Jason Shaw]

 I need help understanding if SELinux supports restricting a confined
application from binding to specific network interfaces. I cannot seem to
make this work under F11 and F12 (using targeted, mls, and reference
policies), or under RHEL 5.3U3 targeted.

Details:
- I have a system with two network interfaces: eth0 and eth1.
- I have an application that must only be allowed to read data from eth0
(raw and tcp).
- I do not need to label packets.

Here's what I have tried
1) In a new policy module, I create new types: myApp_exec_t, myApp_t,
myApp_eth0_t, myApp_eth1_t.
2) I use semanage -fcontext to label my application's executable file as
myApp_exec_t
3) I assign eth0 with a new type: 'semanage interface -a -t myApp_eth0_t
eth0'
4) I assign eth1 with a new type: 'semanage interface -a -t myApp_eth1_t
eth1'
5) In my policy module, I allow the following: "allow myApp_t
self:capability net raw", and "allow myApp_t self:tcp_socket { accept read
}"
 6) I verify that when I execute my application, using ps -efZ it is running
in the myApp_t domain (has transitioned properly from unconfined_t)

The problem is, my app can read raw or tcp data from either eth0 or eth1
even though both interfaces have been assigned different types using
semanage -interface.

Is this because 'allow myApp_t self:capability net_raw' does not distinguish
between network interfaces? Is my understanding of semanage -interface
incorrect - shouldn't labeling the interface result in no ability to use the
interface unless explicitly allowed?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20100114/fa2758e5/attachment.html