Conditional Access to Network Resources

Conditional Access to Network Resources

[Chris Kuester]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=unknown-8bit, Size: 1263 bytes --]

Hi List,

I'm facing the following problem:

I want to allow my domain to access certain ports on the local interface
and certain ports on a nonlocal interface. 
Example:
Domain may connect to port 25 over eth0
Domain may connect to port 4242 only on the loopback interface.

But if I allow my domain to access port 25 over eth0 it can also 
access port 25 on the local interface because I have to allow full
access to both, local and remote nodes and sending traffic over
both network interfaces.

I think I need to have some kind of condition, or do I missunderstand 
something here?

Constraint: Switching to SECMARKing instead of the "old" network 
confinement code is not an option at the moment. :(

Regards,
Chris

-- 
tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH

Heilsbachstr. 24, 53123 Bonn  | Poststr. 4-5, 10178 Berlin
fon: +49(228) / 52675-0       | fon: +49(30) / 27594853
fax: +49(228) / 52675-25      | fax: +49(30) / 78709617

Geschäftsführer
Boris Esser, Elmar Geese
HRB AG Bonn 5168
Ust-ID: DE122264941


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Conditional Access to Network Resources

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 516 bytes --]



On Tue, 2008-10-21 at 11:25 +0200, Chris Kuester wrote:

> I want to allow my domain to access certain ports on the local interface
> and certain ports on a nonlocal interface. 

I think that you would have to first declare your interfaces with for example "semanage interface -{a|d|m} [-tr] interface_spec"
(man semanage) and then define policy about how domains may interact with the interfaces that you have declared.
By default no interfaces are declared and domain may interact with any
interface.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: Conditional Access to Network Resources

[Stephen Smalley]

On Tue, 2008-10-21 at 11:25 +0200, Chris Kuester wrote:
> Hi List,
> 
> I'm facing the following problem:
> 
> I want to allow my domain to access certain ports on the local interface
> and certain ports on a nonlocal interface. 
> Example:
> Domain may connect to port 25 over eth0
> Domain may connect to port 4242 only on the loopback interface.
> 
> But if I allow my domain to access port 25 over eth0 it can also 
> access port 25 on the local interface because I have to allow full
> access to both, local and remote nodes and sending traffic over
> both network interfaces.
> 
> I think I need to have some kind of condition, or do I missunderstand 
> something here?
> 
> Constraint: Switching to SECMARKing instead of the "old" network 
> confinement code is not an option at the moment. :(

Offhand, I think that is your only option if you want to express
combinations of restrictions like this - this is precisely why SECMARK
was created.

Now, if your goal instead is to control the end point domains to which a
domain can connect, then you might investigate using labeled networking
and its controls instead to enforce restrictions over what domains can
talk with what other domains.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Conditional Access to Network Resources

[Paul Moore]

On Tuesday 21 October 2008 8:03:03 am Stephen Smalley wrote:
> On Tue, 2008-10-21 at 11:25 +0200, Chris Kuester wrote:
> > Hi List,
> >
> > I'm facing the following problem:
> >
> > I want to allow my domain to access certain ports on the local
> > interface and certain ports on a nonlocal interface.
> > Example:
> > Domain may connect to port 25 over eth0
> > Domain may connect to port 4242 only on the loopback interface.
> >
> > But if I allow my domain to access port 25 over eth0 it can also
> > access port 25 on the local interface because I have to allow full
> > access to both, local and remote nodes and sending traffic over
> > both network interfaces.
> >
> > I think I need to have some kind of condition, or do I
> > missunderstand something here?
> >
> > Constraint: Switching to SECMARKing instead of the "old" network
> > confinement code is not an option at the moment. :(
>
> Offhand, I think that is your only option if you want to express
> combinations of restrictions like this - this is precisely why
> SECMARK was created.

I agree with Stephen, with the combinations you describe I don't believe 
it would be possible to do what you want using the old/compat_net 
controls.  Can you explain in more detail what your overall network 
security goals are for your domain/application?  We might be able to 
help solve the problem another way ...

Also, if you don't mind, can I ask why SECMARK is not an option?  I 
expect that the older controls will be marked as deprecated in the near 
future with the goal of removal some time after that.  Understanding 
why SECMARK is not an option is important so we can make a smooth 
transition.

-- 
paul moore
linux @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.