I have been asked for a use case that says I want to allow X domain to only be able to use eth1.

All of lore.kernel.org
 help / color / mirror / Atom feed

* I have been asked for a use case that says I want to allow X domain to only be able to use eth1.
@ 2011-03-16 20:32 Daniel J Walsh
  2011-03-16 21:16 ` Daniel J Walsh
  0 siblings, 1 reply; 2+ messages in thread
From: Daniel J Walsh @ 2011-03-16 20:32 UTC (permalink / raw)
  To: SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For example if you wanted to allow httpd_t to only use eth1, you have a
problem.  You need to label all of the devices on your system as
something other then netif_t. And then add a rule like

semanage interface -a -t public_t eth0
semanage interface -a -t private_t eth1

allow { domain -httpd_t } public_t:netif *;
allow httpd_t private_t:netif *;

If you wanted all other processes to also use eth0, you would add
allow domain private_t:netif *;

Now ignoring the fact that I used domain instead of some attribute to
indicate all domains that use the network.

Even if I did the code above, if a new interface showed up later httpd_t
would be allowed to use it since it can use netif_t, which is the
default for all interfaces.

The problem is I can not change the default.

semanage interface -a -t public_t *

For example would not work, I don't think.

I guess I can do something hackly like I am with unlabelednet.pp and
just put all of the netif rules into a module that I can disable, but I
wanted to know if anyone has a better way.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2BHnoACgkQrlYvE4MpobP3TwCdHqFajpxDmoGlf7IsjvZdESsj
aywAoKLuY8SfVBCM7g2SV5gS1Y97rtUy
=5R0X
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: I have been asked for a use case that says I want to allow X domain to only be able to use eth1.
  2011-03-16 20:32 I have been asked for a use case that says I want to allow X domain to only be able to use eth1 Daniel J Walsh
@ 2011-03-16 21:16 ` Daniel J Walsh
  0 siblings, 0 replies; 2+ messages in thread
From: Daniel J Walsh @ 2011-03-16 21:16 UTC (permalink / raw)
  To: SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/16/2011 04:32 PM, Daniel J Walsh wrote:
> For example if you wanted to allow httpd_t to only use eth1, you have a
> problem.  You need to label all of the devices on your system as
> something other then netif_t. And then add a rule like
> 
> semanage interface -a -t public_t eth0
> semanage interface -a -t private_t eth1
> 
> allow { domain -httpd_t } public_t:netif *;
> allow httpd_t private_t:netif *;
> 
> If you wanted all other processes to also use eth0, you would add
> allow domain private_t:netif *;
> 
> Now ignoring the fact that I used domain instead of some attribute to
> indicate all domains that use the network.
> 
> Even if I did the code above, if a new interface showed up later httpd_t
> would be allowed to use it since it can use netif_t, which is the
> default for all interfaces.
> 
> The problem is I can not change the default.
> 
> semanage interface -a -t public_t *
> 
> For example would not work, I don't think.
> 
> I guess I can do something hackly like I am with unlabelednet.pp and
> just put all of the netif rules into a module that I can disable, but I
> wanted to know if anyone has a better way.
> 

- --
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.



I guess for this to work, best I will need to deal with the node instead
of the interface.  As long as there is an IP associated with the node, I
can put a label out like

semanage node -a -t public_node_t 0.0.0.0/0
semanane node -a -t private_node_t 1.2.3.4/32

allow { domain -httpd_t } public_node_t:socket_class_set node_bind;
allow { httpd_t } private_node_t:tcp_socket node_bind;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2BKLkACgkQrlYvE4MpobPdOQCfYCxU0UtzJ71gv1Sl+VNK7uMc
ghYAoI313GNc2oV2XjxNDIbaTEzJSOSl
=gd6B
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-03-16 21:16 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-03-16 20:32 I have been asked for a use case that says I want to allow X domain to only be able to use eth1 Daniel J Walsh
2011-03-16 21:16 ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.