fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: netif labelling

Re: netif labelling

From: Dominick Grift <domg472_at_nospam>
Date: Sun Aug 29 2010 - 18:47:00 GMT
To: Mr Dash Four <mr.dash.four@googlemail.com>

On 08/29/2010 08:38 PM, Mr Dash Four wrote:
>
>> example:
>>
>> corenet_tcp_sendrecv_lo_if(myapp_t)
>> corenet_tcp_connect_mysqld_port(myapp_t)
>>
>> It means myapp_t can only tcp sendrecv on netif_lo_t.
>> And it can connect to mysqld tcp ports.
>>
>> so:
>>
>> It can only connect to mysqld tcp ports using the lo interface because
>> thats the only interface it can tcp sendrecv.
>>
> Yeah, but as part of the same policy I also need to bind to and
> send/receive tcp packets on the tun0 interface (as I posted before - I
> need 2 active interfaces)! Where does that go if I have to use the bind
> statement?

So you would additionally add:

corenet_tcp_sendrecv_tun0_if(myapp_t)
corenet_tcp_bind_mysqld_port(myapp_t)

That would allow myapp_t to also tcp sendrecv tun0 network interface.
and it would allow myapp_t to bind tcp sockets to mysqld ports.

But i think i see where this is going:

Because now myapp_t can also connect to mysqld ports via the tun0
network interface. Something you probably wanted to prevent.

Additionally now myapp_t can also listen on the lo network interface.
Also something you probably wanted to prevent.

I am not sure how to best deal with this problem.

> Not to mention, that if I need to, say, connect and send/receive packets
> on the https port on tun0 as part of the same policy - and therefore
> need to add another 'corenet_tcp_connect_https_port' statement - where
> would this go and which interface would be 'enabled' this on?

> Your example above is fine if I only need one interface to connect to
> and send/receive packets. That is not the case here!

Good question that i cannot answer.

>
>>>>
>>> What do you mean? I thought this is a part of the policy as statements
>>> from this file are used by a lot of policy modules, or are you saying
>>> this transforms to something else?
>>>
>>
>> I mean the corenetwork module works a bit different than the common
>> modules. In that it uses a template to generate interfaces for declared
>> port types automatically. Thats where it uses the file you were looking
>> at for. Its not an normal interface file and it should not be used
>> manually. Theres a script in refpolicy that does it for you.
>>
>> All you need to do is declare network object types and build the policy,
>> then the script will generate the interfaces for you, unlike it does
>> with most other modules.
>>
> Is there a way I could see the 'expanded' version of this as this would
> be the key for me to use these statements in my policy file - just in
> case I run out of alternatives?

get refpolicy and build it. if will generate a corenetwork.if file.

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux