netif labelling
Mr Dash Four
mr.dash.four at googlemail.com
Sat Sep 4 17:11:54 UTC 2010
I think I found a solution, inspired by reading two very good articles
by James Morris (article here -
http://james-morris.livejournal.com/11010.html) and Paul Moore (article
here - http://paulmoore.livejournal.com/4281.html). Both are members of
this list, so if they read this thread I welcome their comments.
Both articles refer to an elegant solution for my problems by using
SECMARK (which is supported by both the new kernels and SELinux) - using
iptables to mark the packets I am interested in with a specific security
context (using the --selctx iptables option), and then using my SELinux
policy to control/manipulate access to this context by using the (new)
'packet' class permissions.
With this approach I will have more fine-grained control over what goes
where and that will also allow me to use more than one net interface to
enforce control within the same policy - exactly what I wanted.
As the articles were about 4 years old I am not sure whether there is
something better out there, but this will do for the time being.
I've had a little snag, however! As an experiment, I tried to mark
packets using iptables, but my attempt failed - miserably so! I executed
this:
iptables -t mangle -A INPUT -p tcp --dst 127.0.0.1 --dport 3306 -j
SECMARK --selctx system_u:object_r:mysqld_t:s0
Error message received: "iptables: Invalid argument. Run `dmesg' for
more information.". dmesg reveals: "SECMARK: unable to obtain relabeling
permission" (note the wrong speLLing!), which then led me to my avc:
type=AVC msg=audit(1283619145.372:45): avc: denied { relabelto } for
pid=1846 comm="iptables"
scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mysqld_t:s0 tclass=packet
type=SYSCALL msg=audit(1283619145.372:45): arch=40000003 syscall=102
success=no exit=-22 a0=e a1=bfb86510 a2=cf392c a3=cf15e4 items=0
ppid=1512 pid=1846 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts0 ses=1 comm="iptables" exe="/sbin/iptables-multi"
subj=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 key=(null)
I quickly examined iptables.te and there is a macro
'relabelto_all_packets(iptables_t)', which, in essence, translates to
'allow iptables_t packet_type:packet relabelto;'
On the face of it, I can't see why I should get the above avc as the
domain in both cases is 'iptables_t'?! Any suggestions?
One additional inconvenience is that I am using Shorewall, which, from
what I can gather, does not support SECMARK and CONSECMARK and I have to
execute iptables directly to do what I want - not very nice and that
would be a matter for the Shorewall support forum.
More information about the selinux
mailing list