FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-14-2009, 09:56 PM
"Cernak, James E (IS)"
 
Default how to restrict a SOCK_RAW by interface

Title: RE: how to restrict a SOCK_RAW by interface







Hello,



Thanks for the hint, However it does not solve my problem I still can read from eth0.



I did have to add allow rules for netif_t:netif but my policy still does not allow iface_test_t.



James





-----Original Message-----

From: Stephen Smalley [mailto:sds@tycho.nsa.gov]

Sent: Mon 12/14/2009 1:49 PM

To: Cernak, James E (IS)

Cc: fedora-selinux-list@redhat.com

Subject: Re: how to restrict a SOCK_RAW by interface



On Mon, 2009-12-14 at 13:29 -0600, Cernak, James E (IS) wrote:

> Hello,

>

> I am trying to restrict an application to using only some interfaces

> on the system. I have defined a new type and assigned the interface on

> my RHEL5.4-x64 system to the new type with semanage. The system

> indicates that the interface is now configured.

>***** # semanage interface -l

>***** SELinux Interface************* Context

>

>***** eth1************************** system_ubject_r:iface_test_t:s0

> This does restrict applications like tcpdump or wireshark from listing

> the interface that was configured.

>***** # tcpdump -D

>***** 1.peth0

>***** 2.virbr0

>***** 3.vif0.0

>***** 4.eth0

>***** 5.xenbr0

>***** 6.eth2

>***** 7.eth3

>***** 8.any (Pseudo-device that captures on all interfaces)

>***** 9.lo

>

> My problem comes that my application can still open eth1 and read and

> write packets to this interface.

> The application is opening a socket as SOCK_RAW then binding with a

> struct sockaddr_LL that has the ssll_ifindex field configured with the

> index of ETH1.

> How do I write a selinux policy to restrict this application from

> using some interfaces.

>



In RHEL5 (Linux 2.6.18), you might need to enable compat_net (echo 1

> /selinux/compat_net or boot with selinux_compat_net=1 on the kernel

command line).



--

Stephen Smalley

National Security Agency










--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-16-2009, 02:02 PM
Stephen Smalley
 
Default how to restrict a SOCK_RAW by interface

On Mon, 2009-12-14 at 16:56 -0600, Cernak, James E (IS) wrote:
> Hello,
>
> Thanks for the hint, However it does not solve my problem I still can
> read from eth0.

eth0 or eth1? Your example showed eth1 configured as iface_test_t.
>
> I did have to add allow rules for netif_t:netif but my policy still
> does not allow iface_test_t.

Hmmm..are you sure? Did you declare any type attributes for
iface_test_t? Use sesearch or apol to confirm that there are no allow
rules to it in the final binary policy.

>
> James
>
>
> -----Original Message-----
> From: Stephen Smalley [mailto:sds@tycho.nsa.gov]
> Sent: Mon 12/14/2009 1:49 PM
> To: Cernak, James E (IS)
> Cc: fedora-selinux-list@redhat.com
> Subject: Re: how to restrict a SOCK_RAW by interface
>
> On Mon, 2009-12-14 at 13:29 -0600, Cernak, James E (IS) wrote:
> > Hello,
> >
> > I am trying to restrict an application to using only some interfaces
> > on the system. I have defined a new type and assigned the interface
> on
> > my RHEL5.4-x64 system to the new type with semanage. The system
> > indicates that the interface is now configured.
> > # semanage interface -l
> > SELinux Interface Context
> >
> > eth1
> system_ubject_r:iface_test_t:s0
> > This does restrict applications like tcpdump or wireshark from
> listing
> > the interface that was configured.
> > # tcpdump -D
> > 1.peth0
> > 2.virbr0
> > 3.vif0.0
> > 4.eth0
> > 5.xenbr0
> > 6.eth2
> > 7.eth3
> > 8.any (Pseudo-device that captures on all interfaces)
> > 9.lo
> >
> > My problem comes that my application can still open eth1 and read
> and
> > write packets to this interface.
> > The application is opening a socket as SOCK_RAW then binding with a
> > struct sockaddr_LL that has the ssll_ifindex field configured with
> the
> > index of ETH1.
> > How do I write a selinux policy to restrict this application from
> > using some interfaces.
> >
>
> In RHEL5 (Linux 2.6.18), you might need to enable compat_net (echo 1
> > /selinux/compat_net or boot with selinux_compat_net=1 on the kernel
> command line).
>
> --
> Stephen Smalley
> National Security Agency
>
>
>
>
--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-17-2009, 12:56 PM
"Cernak, James E (IS)"
 
Default how to restrict a SOCK_RAW by interface

Title: RE: how to restrict a SOCK_RAW by interface







Hello,



Sorry typo it was intended to be eth1.



I just checked again. Apol shows iface_test_t having 0 attributes and 0 rule match.

** # getenforce

** Enforcing

** # cat selinuc/compat_net*

** 1

** # semanage interface -l

** SELinux Interface************* Context

** eth1************************** system_ubject_r:iface_test_t:s0

** # grep iface_test_t *.te

** type iface_test_t;



My app still can restart connect a socket to eth1 and read and write to eth1;



James





-----Original Message-----

From: Stephen Smalley [mailto:sds@tycho.nsa.gov]

Sent: Wed 12/16/2009 9:02 AM

To: Cernak, James E (IS)

Cc: fedora-selinux-list@redhat.com

Subject: RE: how to restrict a SOCK_RAW by interface



On Mon, 2009-12-14 at 16:56 -0600, Cernak, James E (IS) wrote:

> Hello,

>

> Thanks for the hint, However it does not solve my problem I still can

> read from eth0.



eth0 or eth1?* Your example showed eth1 configured as iface_test_t.

>

> I did have to add allow rules for netif_t:netif but my policy still

> does not allow iface_test_t.



Hmmm..are you sure?* Did you declare any type attributes for

iface_test_t?* Use sesearch or apol to confirm that there are no allow

rules to it in the final binary policy.



>

> James

>

>

> -----Original Message-----

> From: Stephen Smalley [mailto:sds@tycho.nsa.gov]

> Sent: Mon 12/14/2009 1:49 PM

> To: Cernak, James E (IS)

> Cc: fedora-selinux-list@redhat.com

> Subject: Re: how to restrict a SOCK_RAW by interface

>

> On Mon, 2009-12-14 at 13:29 -0600, Cernak, James E (IS) wrote:

> > Hello,

> >

> > I am trying to restrict an application to using only some interfaces

> > on the system. I have defined a new type and assigned the interface

> on

> > my RHEL5.4-x64 system to the new type with semanage. The system

> > indicates that the interface is now configured.

> >***** # semanage interface -l

> >***** SELinux Interface************* Context

> >

> >***** eth1

> system_ubject_r:iface_test_t:s0

> > This does restrict applications like tcpdump or wireshark from

> listing

> > the interface that was configured.

> >***** # tcpdump -D

> >***** 1.peth0

> >***** 2.virbr0

> >***** 3.vif0.0

> >***** 4.eth0

> >***** 5.xenbr0

> >***** 6.eth2

> >***** 7.eth3

> >***** 8.any (Pseudo-device that captures on all interfaces)

> >***** 9.lo

> >

> > My problem comes that my application can still open eth1 and read

> and

> > write packets to this interface.

> > The application is opening a socket as SOCK_RAW then binding with a

> > struct sockaddr_LL that has the ssll_ifindex field configured with

> the

> > index of ETH1.

> > How do I write a selinux policy to restrict this application from

> > using some interfaces.

> >

>

> In RHEL5 (Linux 2.6.18), you might need to enable compat_net (echo 1

> > /selinux/compat_net or boot with selinux_compat_net=1 on the kernel

> command line).

>

> --

> Stephen Smalley

> National Security Agency

>

>

>

>

--

Stephen Smalley

National Security Agency










--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 03:59 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org