fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: netif labelling

Re: netif labelling

From: Mr Dash Four <mr.dash.four_at_nospam>
Date: Sun Aug 29 2010 - 16:02:57 GMT
To: Dominick Grift <domg472@gmail.com>

> I think you indeed have to declare new network interface types if you
> want to differentiate between the various network interfaces in targeted
> policy using network_interface()
>
This is what is defined in corenetwor.te.m4:

#
# network_interface(if_name,linux_interface,mls_sensitivity)
#
define(`network_interface',`
gen_require(``type unlabeled_t;'')
type $1_netif_t alias netif_$1_t, netif_type;
declare_netifs($1_netif_t,shift($*))
')

So, by that I am assuming that if I include
'network_interface(tun0,tun0,s0)' (in corenetwork.te.in instead of 's0'
there is 's0 - mls_systemhigh' - does that matter?) in my policy file
this is all I need to do, right?

Also, as part of the policy I wish to enable/restrict the program to
connect on mysqld port, but ONLY on the local (lo) interface and then
listen/bind on a predefined port but on the tun0 interface. How do I do
that? There are 2 relevant macros in corenetwork.te.m4 for this:

corenet_tcp_bind_voip_sandbox_port(voip_sandbox_t)
corenet_tcp_connect_mysqld_port(voip_sandbox_t)

which are taken from:

########################################
## <summary>
## Bind TCP sockets to the $1 port.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_tcp_bind_$1_port',`
    gen_require(`
        $3 $1_$2;
    ')

    allow dollarsone $1_$2:tcp_socket name_bind;
    $4
')

and

########################################
## <summary>
## Make a TCP connection to the $1 port.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`corenet_tcp_connect_$1_port',`
    gen_require(`
        $3 $1_$2;
    ')

    allow dollarsone $1_$2:tcp_socket name_connect;
')

For me it is clear that $1 is the port type (voip_sandbox and mysqld in
my case) and 'dollarsone' expands to the parameter in brackets
(voip_sandbox_t in my case), but what are $2, $3 and $4 (in the 1st
macro above) and what values to these have? The <param> tag does not
describe any of these and I cannot find any reference anywhere! Would
SLIDE have picked up those?

If I manage to 'decipher' these I may restrict the above statements to
the proper net device type if there is no suitable other macro found,
but as it stands I am a bit stuck!

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux