From: shifflett@nps.edu (David Shifflett)
Date: Tue, 28 Feb 2012 14:07:52 -0800
Subject: [refpolicy] MLS policy and networking
Message-ID: <4F4D5038.3090001@nps.edu>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

I am trying to use the MLS policy to control access to various
networks.

I am running on Fedora 13,
# sestatus
reports - enabled, mode enforcing, policy version 24, policy file mls

My system has eth1 192.168.2.1, and eth2 192.168.3.1.

I am trying to set the contexts correctly so that processes
with a sensitivity of s0 can use eth1,
and a sensitivity of s1 can use eth2

Nothing I have tried prevents a process at s1 from accessing
a node/interface/port with a sensitivity of s0.

Here is what I have tried:
(set everything to s0)
semanage interface -a -r s0 -t user_t eth1
semanage interface -a -r s0 -t user_t eth2
semanage node -a -r s0 -t user_t -M 255.255.255.0 -p ipv4 192.168.2.1
semanage node -a -r s0 -t user_t -M 255.255.255.0 -p ipv4 192.168.3.1
semanage port -a -r s0 -t user_t -p tcp 55055

This yields:
# cat /etc/selinux/mls/modules/active/ports.local
portcon tcp 55055 system_u:object_r:user_t:s0

# cat /etc/selinux/mls/modules/active/interfaces.local
netifcon eth1 system_u:object_r:user_t:s0 system_u:object_r:user_t:s0
netifcon eth2 system_u:object_r:user_t:s0 system_u:object_r:user_t:s0

# cat /etc/selinux/mls/modules/active/nodes.local
nodecon ipv4 192.168.2.1 255.255.255.0 system_u:object_r:user_t:s0
nodecon ipv4 192.168.3.1 255.255.255.0 system_u:object_r:user_t:s0

# semanage port -l | grep 55055
user_t tcp 55055

# semanage node -l
192.168.2.1 255.255.255.0 ipv4 system_u:object_r:user_t:s0
192.168.3.1 255.255.255.0 ipv4 system_u:object_r:user_t:s0

# semanage interface -l
eth1 system_u:object_r:user_t:s0
eth2 system_u:object_r:user_t:s0

I am running a simple python server program listening,
accepting connections on port 55055,
and reading/writing data from/to the client.

The python program reports it's context via selinux.getcon()
and works whether the context is
user_u:user_r:user_t:s0-s15:c0.c1023
or
user_u:user_r:user_t:s1-s15:c0.c1023

It appears that the MLS policy isn't being enforced,
or I am missing something.

I am new to SELinux so hopefully I am doing something simple wrong.
Let me know if there is any other data I need to provide.


Any help sorting this out would be appreciated,
Thanks,
David Shifflett