fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: netif labelling

Re: netif labelling

From: Mr Dash Four <mr.dash.four_at_nospam>
Date: Sun Aug 29 2010 - 11:14:47 GMT
To: Mantaray <mantaray_1@cox.net>

> I just wanted to note that I have had much more difficulty knowing if I
> have control over my network devices since the 2.6.30 kernel. Network
> control (Internet) is the only reason I use SELinux.
I agree completely! One thing I find really frustrating is
working/defining ports and assigning different types to these ports.

For example: In the targeted policy there is a line in corenetwork.te.in
which defines tor ports as 9001, 9090, 9091, 9050 and 9051. All this is
classified as tor_port_t type. Most applications utilising tor (like
Privoxy for example) only need to have access to the 9050 (and, may be,
9051) tor port and not the rest, but as things stand this is impossible
to achieve as the above group of ports are lumbered together having the
same type.

This, of course, presents a security loophole for applications to
exploit. The above example is not unique to tor - I experienced very
similar scenario when dealing with pop/smtp/imap ports - they are all
packed together as one type - very inflexible.

So, in order to avoid this I had 2 choices: redefine the targeted policy
and alter the corenetwork.te.in file appropriately, or, find another way
of defining these ports and fine tune my custom policy to suit. Since I
hit the wall with the latter (I posted a thread on here and got zero
responses!) I was left with no choice, but to redefine the targeted
policy and, in the above example, split the tor port classification in 4
groups (as they should be!):

tor_or - port 9001 (used internally by tor)
tor_dir - ports 9090, 9091 (tor directory/bridge connections are done here)
tor_proxy - port 9050 (most applications utilising tor use this port)
tor_ctl - port 9051 (tor control port, used for controlling tor by other
applications - like Vitalia for example)

> If there is new and improved documentation for the usage of the network controls, I
> would greatly appreciate knowing about it.
>
I second that! Searching for sources of good information to resolve the
above issues proved very frustrating indeed!

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux