From: shifflett@nps.edu (David Shifflett)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] MLS policy and networking
Date: Tue, 28 Feb 2012 14:07:52 -0800 [thread overview]
Message-ID: <4F4D5038.3090001@nps.edu> (raw)
I am trying to use the MLS policy to control access to various
networks.
I am running on Fedora 13,
# sestatus
reports - enabled, mode enforcing, policy version 24, policy file mls
My system has eth1 192.168.2.1, and eth2 192.168.3.1.
I am trying to set the contexts correctly so that processes
with a sensitivity of s0 can use eth1,
and a sensitivity of s1 can use eth2
Nothing I have tried prevents a process at s1 from accessing
a node/interface/port with a sensitivity of s0.
Here is what I have tried:
(set everything to s0)
semanage interface -a -r s0 -t user_t eth1
semanage interface -a -r s0 -t user_t eth2
semanage node -a -r s0 -t user_t -M 255.255.255.0 -p ipv4 192.168.2.1
semanage node -a -r s0 -t user_t -M 255.255.255.0 -p ipv4 192.168.3.1
semanage port -a -r s0 -t user_t -p tcp 55055
This yields:
# cat /etc/selinux/mls/modules/active/ports.local
portcon tcp 55055 system_u:object_r:user_t:s0
# cat /etc/selinux/mls/modules/active/interfaces.local
netifcon eth1 system_u:object_r:user_t:s0 system_u:object_r:user_t:s0
netifcon eth2 system_u:object_r:user_t:s0 system_u:object_r:user_t:s0
# cat /etc/selinux/mls/modules/active/nodes.local
nodecon ipv4 192.168.2.1 255.255.255.0 system_u:object_r:user_t:s0
nodecon ipv4 192.168.3.1 255.255.255.0 system_u:object_r:user_t:s0
# semanage port -l | grep 55055
user_t tcp 55055
# semanage node -l
192.168.2.1 255.255.255.0 ipv4 system_u:object_r:user_t:s0
192.168.3.1 255.255.255.0 ipv4 system_u:object_r:user_t:s0
# semanage interface -l
eth1 system_u:object_r:user_t:s0
eth2 system_u:object_r:user_t:s0
I am running a simple python server program listening,
accepting connections on port 55055,
and reading/writing data from/to the client.
The python program reports it's context via selinux.getcon()
and works whether the context is
user_u:user_r:user_t:s0-s15:c0.c1023
or
user_u:user_r:user_t:s1-s15:c0.c1023
It appears that the MLS policy isn't being enforced,
or I am missing something.
I am new to SELinux so hopefully I am doing something simple wrong.
Let me know if there is any other data I need to provide.
Any help sorting this out would be appreciated,
Thanks,
David Shifflett
next reply other threads:[~2012-02-28 22:07 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-28 22:07 David Shifflett [this message]
2012-03-05 19:06 ` [refpolicy] MLS policy and networking David Shifflett
2012-03-06 13:27 ` Christopher J. PeBenito
2012-03-08 18:30 ` Paul Moore
2012-03-08 19:19 ` David Shifflett
2012-03-09 20:43 ` Paul Moore
2012-03-09 22:33 ` David Shifflett
2012-03-12 13:30 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F4D5038.3090001@nps.edu \
--to=shifflett@nps.edu \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.