From: shifflett@nps.edu (David Shifflett)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] MLS policy and networking
Date: Mon, 5 Mar 2012 11:06:28 -0800 [thread overview]
Message-ID: <4F550EB4.7020809@nps.edu> (raw)
In-Reply-To: <4F4D5038.3090001@nps.edu>
I have a little more information to add.
I reversed the MLS levels of the node/interface/port and process.
With the node/interface/port labeled at s1, the process running at s0 is
NOT prevented from accessing the network.
Please help me understand if I am configuring things incorrectly,
or if the MLS policy isn't being correctly applied to network
nodes/interfaces/ports.
David Shifflett
David Shifflett wrote:
> I am trying to use the MLS policy to control access to various
> networks.
>
> I am running on Fedora 13,
> # sestatus
> reports - enabled, mode enforcing, policy version 24, policy file mls
>
> My system has eth1 192.168.2.1, and eth2 192.168.3.1.
>
> I am trying to set the contexts correctly so that processes
> with a sensitivity of s0 can use eth1,
> and a sensitivity of s1 can use eth2
>
> Nothing I have tried prevents a process at s1 from accessing
> a node/interface/port with a sensitivity of s0.
>
> Here is what I have tried:
> (set everything to s0)
> semanage interface -a -r s0 -t user_t eth1
> semanage interface -a -r s0 -t user_t eth2
> semanage node -a -r s0 -t user_t -M 255.255.255.0 -p ipv4 192.168.2.1
> semanage node -a -r s0 -t user_t -M 255.255.255.0 -p ipv4 192.168.3.1
> semanage port -a -r s0 -t user_t -p tcp 55055
>
> This yields:
> # cat /etc/selinux/mls/modules/active/ports.local
> portcon tcp 55055 system_u:object_r:user_t:s0
>
> # cat /etc/selinux/mls/modules/active/interfaces.local
> netifcon eth1 system_u:object_r:user_t:s0 system_u:object_r:user_t:s0
> netifcon eth2 system_u:object_r:user_t:s0 system_u:object_r:user_t:s0
>
> # cat /etc/selinux/mls/modules/active/nodes.local
> nodecon ipv4 192.168.2.1 255.255.255.0 system_u:object_r:user_t:s0
> nodecon ipv4 192.168.3.1 255.255.255.0 system_u:object_r:user_t:s0
>
> # semanage port -l | grep 55055
> user_t tcp 55055
>
> # semanage node -l
> 192.168.2.1 255.255.255.0 ipv4 system_u:object_r:user_t:s0
> 192.168.3.1 255.255.255.0 ipv4 system_u:object_r:user_t:s0
>
> # semanage interface -l
> eth1 system_u:object_r:user_t:s0
> eth2 system_u:object_r:user_t:s0
>
> I am running a simple python server program listening,
> accepting connections on port 55055,
> and reading/writing data from/to the client.
>
> The python program reports it's context via selinux.getcon()
> and works whether the context is
> user_u:user_r:user_t:s0-s15:c0.c1023
> or
> user_u:user_r:user_t:s1-s15:c0.c1023
>
> It appears that the MLS policy isn't being enforced,
> or I am missing something.
>
> I am new to SELinux so hopefully I am doing something simple wrong.
> Let me know if there is any other data I need to provide.
>
>
> Any help sorting this out would be appreciated,
> Thanks,
> David Shifflett
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
next prev parent reply other threads:[~2012-03-05 19:06 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-28 22:07 [refpolicy] MLS policy and networking David Shifflett
2012-03-05 19:06 ` David Shifflett [this message]
2012-03-06 13:27 ` Christopher J. PeBenito
2012-03-08 18:30 ` Paul Moore
2012-03-08 19:19 ` David Shifflett
2012-03-09 20:43 ` Paul Moore
2012-03-09 22:33 ` David Shifflett
2012-03-12 13:30 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F550EB4.7020809@nps.edu \
--to=shifflett@nps.edu \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.