From: paul@paul-moore.com (Paul Moore)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] MLS policy and networking
Date: Mon, 12 Mar 2012 09:30:04 -0400 [thread overview]
Message-ID: <2111960.bRKSTJOWmF@sifl> (raw)
In-Reply-To: <4F5A8524.8020507@nps.edu>
On Friday, March 09, 2012 02:33:08 PM David Shifflett wrote:
> Ok, given the below info, I'll re ask my original question.
>
> I don't care about labeling all the network traffic or packets.
> I want to label the interface and have the system enforce the policy based
> on the process label and the interface label.
All of my original advice still applies.
* http://paulmoore.livejournal.com/5536.html
> If I use semanage to label the eth1 interface s0 and the eth2 interface s1
>
> Why is a process at s1 allowed to access eth1?
Short answer: because you've only half-way configured the labeled networking
access controls.
Longer answer: for both performance and policy reasons, the network access
controls lie dormant/disabled until you fully configured them. Once they are
fully configured then they will become active and you can start enforcing the
access controls you describe above. When you only run the semanage commands
as you've described above, you can't enforce the network access controls as
the network traffic "loops back" into the system after being sent.
> I am not in 'compat_net' mode, so if semanage isn't that right way to label
> the interface, should I use SECMARK, or netlabelctl?
You should be using the commands I sent you earlier.
It may not be as simple as you want it to be, but it is the way it works.
> BTW, I agree, clear as mud :)
>
> dave
>
> Paul Moore wrote:
> <snip>
>
> > * The semanage tools is simply a tool which assigns labels to resources
> > and
> > entities on the system. In the case of network related "things" it can
> > assign labels to interfaces and proto/port combinations. It is important
> > to note that semanage does not label network traffic.
> >
> > Hopefully that makes it all as clear as mud :)
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
paul moore
www.paul-moore.com
prev parent reply other threads:[~2012-03-12 13:30 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-28 22:07 [refpolicy] MLS policy and networking David Shifflett
2012-03-05 19:06 ` David Shifflett
2012-03-06 13:27 ` Christopher J. PeBenito
2012-03-08 18:30 ` Paul Moore
2012-03-08 19:19 ` David Shifflett
2012-03-09 20:43 ` Paul Moore
2012-03-09 22:33 ` David Shifflett
2012-03-12 13:30 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2111960.bRKSTJOWmF@sifl \
--to=paul@paul-moore.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.