2010-05-17 11:42:13

by Shaz

[permalink] [raw]
Subject: [refpolicy] A strange usecase

Hi,

How can we "make sure a guest user can only see traffic counters of
eth0 but not eth1"

thanx in advance.

--
Shaz


2010-05-17 12:15:02

by cpebenito

[permalink] [raw]
Subject: [refpolicy] A strange usecase

On Mon, 2010-05-17 at 16:42 +0500, Shaz wrote:
> How can we "make sure a guest user can only see traffic counters of
> eth0 but not eth1"

It is not possible. That info comes out of the /proc/net/dev proc file.
All interfaces are in the same file, so you can either see all of the
interfaces or none of the interfaces. This can be controlled by
allowing or denying access to proc_net_t files.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-05-17 12:27:50

by Michal Svoboda

[permalink] [raw]
Subject: [refpolicy] A strange usecase

Christopher J. PeBenito wrote:
> It is not possible. That info comes out of the /proc/net/dev proc file.
> All interfaces are in the same file, so you can either see all of the
> interfaces or none of the interfaces. This can be controlled by
> allowing or denying access to proc_net_t files.

Unless you create your own application that filters the info.


Michal Svoboda
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100517/f789588c/attachment.bin

2010-05-17 12:33:22

by Shaz

[permalink] [raw]
Subject: [refpolicy] A strange usecase

On Mon, May 17, 2010 at 5:15 PM, Christopher J. PeBenito
<[email protected]> wrote:
> On Mon, 2010-05-17 at 16:42 +0500, Shaz wrote:
>> How can we "make sure a guest user can only see traffic counters of
>> eth0 but not eth1"
>
> It is not possible. ?That info comes out of the /proc/net/dev proc file.
> All interfaces are in the same file, so you can either see all of the
> interfaces or none of the interfaces. ?This can be controlled by
> allowing or denying access to proc_net_t files.

Not even with iptables-selinux?

--
Shaz