FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-07-2008, 08:01 AM
Christian Kuester
 
Default Packets are unlabeled over a labeled network interface

Hi List,

I'm trying to use network interface labeling with Fedora 8. But it
doesn't behave like I would assume, so it seems that I'm doing something
wrong. Here's the way I did it:

I added a type blacknic_netifcon_t in a local module by
type blacknic_netifcon_t;

and

# semanage interface -a -t blacknic_netifcon_t eth1

results of this command seem correct since:
# seinfo --netif
Netifcon: 2
netifcon eth1 system_ubject_r:blacknic_netifcon_t:s0
system_ubject_r:blacknic_netifcon_t:s0
netifcon lo system_ubject_r:lo_netif_t:s0 - s15:c0.c1023
system_ubject_r:unlabeled_t:s0 - s15:c0.c1023

But packets over this interface are still unlabeled:
type=AVC msg=audit(1215170990.011:689777822): avc: denied { send } for
pid=30988 comm="socat" saddr=192.168.100.54 src=3 daddr=78.xx.xx.xx
dest=1024 netif=eth1 scontext=user_u:user_r:exe_t:s0
tcontext=system_ubject_r:unlabeled_t:s15:c0.c102 3 tclass=packet


Christian





--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-07-2008, 02:43 PM
Stephen Smalley
 
Default Packets are unlabeled over a labeled network interface

On Mon, 2008-07-07 at 10:01 +0200, Christian Kuester wrote:
> Hi List,
>
> I'm trying to use network interface labeling with Fedora 8. But it
> doesn't behave like I would assume, so it seems that I'm doing something
> wrong. Here's the way I did it:
>
> I added a type blacknic_netifcon_t in a local module by
> type blacknic_netifcon_t;
>
> and
>
> # semanage interface -a -t blacknic_netifcon_t eth1
>
> results of this command seem correct since:
> # seinfo --netif
> Netifcon: 2
> netifcon eth1 system_ubject_r:blacknic_netifcon_t:s0
> system_ubject_r:blacknic_netifcon_t:s0
> netifcon lo system_ubject_r:lo_netif_t:s0 - s15:c0.c1023
> system_ubject_r:unlabeled_t:s0 - s15:c0.c1023
>
> But packets over this interface are still unlabeled:
> type=AVC msg=audit(1215170990.011:689777822): avc: denied { send } for
> pid=30988 comm="socat" saddr=192.168.100.54 src=3 daddr=78.xx.xx.xx
> dest=1024 netif=eth1 scontext=user_u:user_r:exe_t:s0
> tcontext=system_ubject_r:unlabeled_t:s15:c0.c102 3 tclass=packet

tclass=packet corresponds to secmark, which is independent/orthogonal of
labeled networking.

Also, the default message/packet SID on a netif is not presently used
for anything.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 08:35 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org