fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: netif labelling

Re: netif labelling

From: Mr Dash Four <mr.dash.four_at_nospam>
Date: Sun Aug 29 2010 - 11:35:51 GMT
To: Dominick Grift <domg472@gmail.com>

> I think you indeed have to declare new network interface types if you
> want to differentiate between the various network interfaces in targeted
> policy using network_interface()
>
> The, i think you would have to manually label the interfaces using
> semanage i think. or maybe the network_interfaces() interface takes care
> of labelling. Not sure
>
There is a good example at the very end of corenetwork.te.in, which
'redefines' the 'lo' network interface using the network_interfaces()
macro. If I have to use a specific labelling I think I could follow that
example (I wasn't sure if 'automatic' relabelling wasn't already done in
some other obscure place in the targeted policy, hence my initial query).

> By default most domains are allowed to use any network interface. The
> have access to the netif_type network interface attribute that is
> assigned to all network interface types (probably via network_interface()
>
As I understand it (again, by looking at the corenetwork files) specific
netif labelling, when defined, is used as an alias of netif_t, which
grants access to all applications using the 'generic' type. If that is
so and I am correct with that assumption all I need to do is define an
alias for a specific net device (as shown in the corenetwork files) -
say netif_tun0_t - and use this type in my custom policy to grant access
to this device only. All other applications in the policy utilising the
generic type (netif_t) should not be affected as the netif_xx_t is an
alias of netif_t.

At least that is my understanding of it.

> That , i think, probably means that you would have to replace the rules
> allowing the domain to use all network interfaces by rules that govern
> more specific access to the various network interface types.
>
Not if, as is in my case, I am building a new policy, from scratch, for
an application which needs access to a specific interface only (tun0) -
if all of my assumptions in this post are true, of course.

> You can probably test this by auditing grants.
>
> auditallow domain netif_type:netif *; or something along those lines.
>
> try it i would say.
>
That is pretty useful! I'll give it a go!

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux