fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: netif labelling

Re: netif labelling

From: Dominick Grift <domg472_at_nospam>
Date: Sun Aug 29 2010 - 17:46:40 GMT
To: Mr Dash Four <mr.dash.four@googlemail.com>

On 08/29/2010 06:02 PM, Mr Dash Four wrote:
>
>> I think you indeed have to declare new network interface types if you
>> want to differentiate between the various network interfaces in targeted
>> policy using network_interface()
>>
> This is what is defined in corenetwor.te.m4:
>
> #
> # network_interface(if_name,linux_interface,mls_sensitivity)
> #
> define(`network_interface',`
> gen_require(``type unlabeled_t;'')
> type $1_netif_t alias netif_$1_t, netif_type;
> declare_netifs($1_netif_t,shift($*))
> ')
>
> So, by that I am assuming that if I include
> 'network_interface(tun0,tun0,s0)' (in corenetwork.te.in instead of 's0'
> there is 's0 - mls_systemhigh' - does that matter?) in my policy file
> this is all I need to do, right?

i would probably use s0 - mls_systemhigh if possible for compatibility
with mls policy

> Also, as part of the policy I wish to enable/restrict the program to
> connect on mysqld port, but ONLY on the local (lo) interface and then
> listen/bind on a predefined port but on the tun0 interface. How do I do
> that? There are 2 relevant macros in corenetwork.te.m4 for this:
>
> corenet_tcp_bind_voip_sandbox_port(voip_sandbox_t)
> corenet_tcp_connect_mysqld_port(voip_sandbox_t)

those are unrelated to netif related policy.
Basically when you declare a netif type there are probably interface
create that provide access to your network interface type. That is what
governs whether your app can or cannot use it. If your app cannot use a
network interface, then it cannot use it to connect to mysqld.

> which are taken from:
>
> ########################################
> ## <summary>
> ## Bind TCP sockets to the $1 port.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> ## <infoflow type="none"/>
> #
> interface(`corenet_tcp_bind_$1_port',`
> gen_require(`
> $3 $1_$2;
> ')
>
> allow dollarsone $1_$2:tcp_socket name_bind;
> $4
> ')
>
> and
>
> ########################################
> ## <summary>
> ## Make a TCP connection to the $1 port.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`corenet_tcp_connect_$1_port',`
> gen_require(`
> $3 $1_$2;
> ')
>
> allow dollarsone $1_$2:tcp_socket name_connect;
> ')
>
>
> For me it is clear that $1 is the port type (voip_sandbox and mysqld in
> my case) and 'dollarsone' expands to the parameter in brackets
> (voip_sandbox_t in my case), but what are $2, $3 and $4 (in the 1st
> macro above) and what values to these have? The <param> tag does not
> describe any of these and I cannot find any reference anywhere! Would
> SLIDE have picked up those?

The $1_$2 is probably some hack to make it work. its just the single
parameter $3 (domain)

> If I manage to 'decipher' these I may restrict the above statements to
> the proper net device type if there is no suitable other macro found,
> but as it stands I am a bit stuck!
>

Like i said above the rule has nothing to do with network interfaces. It
governs access for specified domain to connect to tcp ports.

Also you've taken the above interface block from the template file. This
file is used to automatically generate interfaces for declared port types.

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux