|Main Archive Page > Month Archives > selinux archives|
Yes. That is correct. What I am looking at though is a piece of hardware
that does not use IP (or TCP and UDP for that matter). Instead, they
implement their own protocol at the IP layer. So any traffic coming from
the hardware (to the system that I am writing policy for) and any traffic
being sent to that machine uses a raw socket to communicate (no IP at
all). I briefly looked at ebtables, but it doesn't appear to have the same
type of SECMARK support that I would use with iptables.
I think the best solution that I have come up with is to label the network
interface used to communicate with the hardware, and then only allow the
domain being confined to create sockets and bind to that interface.
-- Thomas Moyer, Technical Staff voice: (781) 981-1374 Cyber Systems Technology Group mobile: (857) 268-0493 MIT Lincoln Laboratory email: email@example.com 244 Wood Street Lexington, MA 02420 On 10/30/12 6:39 PM, "Paul Moore" <firstname.lastname@example.org> wrote: >On Friday, October 26, 2012 04:08:15 PM Moyer, Thomas - 0668 - MITLL >wrote: >> I am working with a piece of embedded hardware that uses raw ethernet >>frames >> to communicate with another (standard PC). Is it possible to apply >>SELinux >> labels to those ethernet frames like you can with IP packets using >>iptables >> and SECMARK? > >The secmark/iptables labels never leave the local system, they are >maintained >only within the kernel and do not travel out over the wire. If you are >interested in communicating security label over the network your only >options >at present require an IP header at the very least. > >-- >paul moore >www.paul-moore.com >
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to email@example.com with the words "unsubscribe selinux" without quotes as the message.