FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-14-2009, 06:29 PM
"Cernak, James E (IS)"
 
Default how to restrict a SOCK_RAW by interface

Title: how to restrict a SOCK_RAW by interface







Hello,



I am trying to restrict an application to using only some interfaces on the system. I have defined a new type and assigned the interface on my RHEL5.4-x64 system to the new type with semanage. The system indicates that the interface is now configured.

**** # semanage interface -l

**** SELinux Interface************* Context



**** eth1************************** system_ubject_r:iface_test_t:s0

This does restrict applications like tcpdump or wireshark from listing the interface that was configured.

**** # tcpdump -D

**** 1.peth0

**** 2.virbr0

**** 3.vif0.0

**** 4.eth0

**** 5.xenbr0

**** 6.eth2

**** 7.eth3

**** 8.any (Pseudo-device that captures on all interfaces)

**** 9.lo



My problem comes that my application can still open eth1 and read and write packets to this interface.

The application is opening a socket as SOCK_RAW then binding with a struct sockaddr_LL that has the ssll_ifindex field configured with the index of ETH1.

How do I write a selinux policy to restrict this application from using some interfaces.





Thanks

James Cernak

<James.Cernak`at`ngc.com>








--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-14-2009, 06:49 PM
Stephen Smalley
 
Default how to restrict a SOCK_RAW by interface

On Mon, 2009-12-14 at 13:29 -0600, Cernak, James E (IS) wrote:
> Hello,
>
> I am trying to restrict an application to using only some interfaces
> on the system. I have defined a new type and assigned the interface on
> my RHEL5.4-x64 system to the new type with semanage. The system
> indicates that the interface is now configured.
> # semanage interface -l
> SELinux Interface Context
>
> eth1 system_ubject_r:iface_test_t:s0
> This does restrict applications like tcpdump or wireshark from listing
> the interface that was configured.
> # tcpdump -D
> 1.peth0
> 2.virbr0
> 3.vif0.0
> 4.eth0
> 5.xenbr0
> 6.eth2
> 7.eth3
> 8.any (Pseudo-device that captures on all interfaces)
> 9.lo
>
> My problem comes that my application can still open eth1 and read and
> write packets to this interface.
> The application is opening a socket as SOCK_RAW then binding with a
> struct sockaddr_LL that has the ssll_ifindex field configured with the
> index of ETH1.
> How do I write a selinux policy to restrict this application from
> using some interfaces.
>

In RHEL5 (Linux 2.6.18), you might need to enable compat_net (echo 1
> /selinux/compat_net or boot with selinux_compat_net=1 on the kernel
command line).

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 03:11 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org