From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 6 Mar 2012 08:27:38 -0500
Subject: [refpolicy] MLS policy and networking
In-Reply-To: <4F550EB4.7020809@nps.edu>
References: <4F4D5038.3090001@nps.edu> <4F550EB4.7020809@nps.edu>
Message-ID: <4F5610CA.2000609@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/05/12 14:06, David Shifflett wrote:
> I have a little more information to add.
> 
> I reversed the MLS levels of the node/interface/port and process.
> With the node/interface/port labeled at s1, the process running at s0 is 
> NOT prevented from accessing the network.
> 
> Please help me understand if I am configuring things incorrectly,
> or if the MLS policy isn't being correctly applied to network
> nodes/interfaces/ports.
> 
> David Shifflett
> 
> 
> David Shifflett wrote:
>> I am trying to use the MLS policy to control access to various
>> networks.
>>
>> I am running on Fedora 13,
>> # sestatus
>> reports - enabled, mode enforcing, policy version 24, policy file mls
>>
>> My system has eth1 192.168.2.1, and eth2 192.168.3.1.
>>
>> I am trying to set the contexts correctly so that processes
>> with a sensitivity of s0 can use eth1,
>> and a sensitivity of s1 can use eth2
>>
>> Nothing I have tried prevents a process at s1 from accessing
>> a node/interface/port with a sensitivity of s0.
>>
>> Here is what I have tried:
>> (set everything to s0)
>> semanage interface -a -r s0 -t user_t eth1
>> semanage interface -a -r s0 -t user_t eth2
>> semanage node -a -r s0 -t user_t -M 255.255.255.0 -p ipv4 192.168.2.1
>> semanage node -a -r s0 -t user_t -M 255.255.255.0 -p ipv4 192.168.3.1
>> semanage port -a -r s0 -t user_t -p tcp 55055
>>
>> This yields:
>> # cat /etc/selinux/mls/modules/active/ports.local
>> portcon tcp 55055 system_u:object_r:user_t:s0
>>
>> # cat /etc/selinux/mls/modules/active/interfaces.local
>> netifcon eth1 system_u:object_r:user_t:s0 system_u:object_r:user_t:s0
>> netifcon eth2 system_u:object_r:user_t:s0 system_u:object_r:user_t:s0
>>
>> # cat /etc/selinux/mls/modules/active/nodes.local
>> nodecon ipv4 192.168.2.1 255.255.255.0 system_u:object_r:user_t:s0
>> nodecon ipv4 192.168.3.1 255.255.255.0 system_u:object_r:user_t:s0
>>
>> # semanage port -l | grep 55055
>> user_t tcp 55055
>>
>> # semanage node -l
>> 192.168.2.1 255.255.255.0 ipv4 system_u:object_r:user_t:s0
>> 192.168.3.1 255.255.255.0 ipv4 system_u:object_r:user_t:s0
>>
>> # semanage interface -l
>> eth1 system_u:object_r:user_t:s0
>> eth2 system_u:object_r:user_t:s0
>>
>> I am running a simple python server program listening,
>> accepting connections on port 55055,
>> and reading/writing data from/to the client.
>>
>> The python program reports it's context via selinux.getcon()
>> and works whether the context is
>> user_u:user_r:user_t:s0-s15:c0.c1023
>> or
>> user_u:user_r:user_t:s1-s15:c0.c1023
>>
>> It appears that the MLS policy isn't being enforced,
>> or I am missing something.
>>
>> I am new to SELinux so hopefully I am doing something simple wrong.
>> Let me know if there is any other data I need to provide.

I can't remember if F13 still had compat_net.  Do you have a /selinux/compat_net, and if so is it 0 or 1?  If it is 0 or nonexistant, then the above won't work, because you're using the new SELinux network access controls (SECMARK).  If you have /selinux/compat_net, you could change it to 1 and then nodes, netifs, and ports will start working as you expect.  If not, then you have to use iptables/SECMARK to do the labeling.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com