On Mon, 2009-12-14 at 13:29 -0600, Cernak, James E (IS) wrote:
> I am trying to restrict an application to using only some interfaces
> on the system. I have defined a new type and assigned the interface on
> my RHEL5.4-x64 system to the new type with semanage. The system
> indicates that the interface is now configured.
> # semanage interface -l
> SELinux Interface Context
> eth1 system_u
> This does restrict applications like tcpdump or wireshark from listing
> the interface that was configured.
> # tcpdump -D
> 8.any (Pseudo-device that captures on all interfaces)
> My problem comes that my application can still open eth1 and read and
> write packets to this interface.
> The application is opening a socket as SOCK_RAW then binding with a
> struct sockaddr_LL that has the ssll_ifindex field configured with the
> index of ETH1.
> How do I write a selinux policy to restrict this application from
> using some interfaces.
In RHEL5 (Linux 2.6.18), you might need to enable compat_net (echo 1
> /selinux/compat_net or boot with selinux_compat_net=1 on the kernel
National Security Agency
fedora-selinux-list mailing list