From: shifflett@nps.edu (David Shifflett)
Date: Mon, 5 Mar 2012 11:06:28 -0800
Subject: [refpolicy]  MLS policy and networking
In-Reply-To: <4F4D5038.3090001@nps.edu>
References: <4F4D5038.3090001@nps.edu>
Message-ID: <4F550EB4.7020809@nps.edu>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

I have a little more information to add.

I reversed the MLS levels of the node/interface/port and process.
With the node/interface/port labeled at s1, the process running at s0 is 
NOT prevented from accessing the network.

Please help me understand if I am configuring things incorrectly,
or if the MLS policy isn't being correctly applied to network
nodes/interfaces/ports.

David Shifflett


David Shifflett wrote:
> I am trying to use the MLS policy to control access to various
> networks.
> 
> I am running on Fedora 13,
> # sestatus
> reports - enabled, mode enforcing, policy version 24, policy file mls
> 
> My system has eth1 192.168.2.1, and eth2 192.168.3.1.
> 
> I am trying to set the contexts correctly so that processes
> with a sensitivity of s0 can use eth1,
> and a sensitivity of s1 can use eth2
> 
> Nothing I have tried prevents a process at s1 from accessing
> a node/interface/port with a sensitivity of s0.
> 
> Here is what I have tried:
> (set everything to s0)
> semanage interface -a -r s0 -t user_t eth1
> semanage interface -a -r s0 -t user_t eth2
> semanage node -a -r s0 -t user_t -M 255.255.255.0 -p ipv4 192.168.2.1
> semanage node -a -r s0 -t user_t -M 255.255.255.0 -p ipv4 192.168.3.1
> semanage port -a -r s0 -t user_t -p tcp 55055
> 
> This yields:
> # cat /etc/selinux/mls/modules/active/ports.local
> portcon tcp 55055 system_u:object_r:user_t:s0
> 
> # cat /etc/selinux/mls/modules/active/interfaces.local
> netifcon eth1 system_u:object_r:user_t:s0 system_u:object_r:user_t:s0
> netifcon eth2 system_u:object_r:user_t:s0 system_u:object_r:user_t:s0
> 
> # cat /etc/selinux/mls/modules/active/nodes.local
> nodecon ipv4 192.168.2.1 255.255.255.0 system_u:object_r:user_t:s0
> nodecon ipv4 192.168.3.1 255.255.255.0 system_u:object_r:user_t:s0
> 
> # semanage port -l | grep 55055
> user_t tcp 55055
> 
> # semanage node -l
> 192.168.2.1 255.255.255.0 ipv4 system_u:object_r:user_t:s0
> 192.168.3.1 255.255.255.0 ipv4 system_u:object_r:user_t:s0
> 
> # semanage interface -l
> eth1 system_u:object_r:user_t:s0
> eth2 system_u:object_r:user_t:s0
> 
> I am running a simple python server program listening,
> accepting connections on port 55055,
> and reading/writing data from/to the client.
> 
> The python program reports it's context via selinux.getcon()
> and works whether the context is
> user_u:user_r:user_t:s0-s15:c0.c1023
> or
> user_u:user_r:user_t:s1-s15:c0.c1023
> 
> It appears that the MLS policy isn't being enforced,
> or I am missing something.
> 
> I am new to SELinux so hopefully I am doing something simple wrong.
> Let me know if there is any other data I need to provide.
> 
> 
> Any help sorting this out would be appreciated,
> Thanks,
> David Shifflett
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>