netifcon

netifcon

[Alexis Wagner]

Hi,

I have read this comment in the file attrib.te : ... operations on the 
interface (XXX obsolete, not supported via LSM) .

I would like to know if I define a security context for an interface via 
netifcon would it be supported by SELinux ?

Thank you,

Alexis Wagner


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: netifcon

[Stephen Smalley]

On Thu, 2004-08-05 at 14:02, Alexis Wagner wrote:
> Hi,
> 
> I have read this comment in the file attrib.te : ... operations on the 
> interface (XXX obsolete, not supported via LSM) .
> 
> I would like to know if I define a security context for an interface via 
> netifcon would it be supported by SELinux ?

You can still assign security contexts to interfaces and control traffic
sent or received on the interface based on that security context.  Only
operations on the interface (e.g. ioctls to configure the interface) are
being referenced by that comment; in the pre-LSM SELinux, permission
checks were directly inserted into the devinet code to check permissions
between the process security context and the interface security context;
LSM sought to avoid such deeply embedded security hooks.  In the
LSM-based SELinux, you can still leverage the existing capability
checks, as SELinux performs a parallel permission check whenever a
capability check is applied, so the SELinux policy still has to grant
you cap_net_admin in order to configure the interface, but this is just
a process-based authorization, not a per-interface based authorization.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.