From: paul@paul-moore.com (Paul Moore) Date: Thu, 08 Mar 2012 13:30:44 -0500 Subject: [refpolicy] MLS policy and networking In-Reply-To: <4F4D5038.3090001@nps.edu> References: <4F4D5038.3090001@nps.edu> Message-ID: <1513158.4FbGMoRZ6H@sifl> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tuesday, February 28, 2012 02:07:52 PM David Shifflett wrote: > I am trying to use the MLS policy to control access to various > networks. > > I am running on Fedora 13, > # sestatus > reports - enabled, mode enforcing, policy version 24, policy file mls > > My system has eth1 192.168.2.1, and eth2 192.168.3.1. > > I am trying to set the contexts correctly so that processes > with a sensitivity of s0 can use eth1, > and a sensitivity of s1 can use eth2 > > Nothing I have tried prevents a process at s1 from accessing > a node/interface/port with a sensitivity of s0. > > Here is what I have tried: > (set everything to s0) > semanage interface -a -r s0 -t user_t eth1 > semanage interface -a -r s0 -t user_t eth2 > semanage node -a -r s0 -t user_t -M 255.255.255.0 -p ipv4 192.168.2.1 > semanage node -a -r s0 -t user_t -M 255.255.255.0 -p ipv4 192.168.3.1 > semanage port -a -r s0 -t user_t -p tcp 55055 ... > # semanage interface -l > eth1 system_u:object_r:user_t:s0 > eth2 system_u:object_r:user_t:s0 Sorry for such a late response, but I would suggest the following changes: 1. If you want only "s1" labeled traffic on eth2, you should probably label it as such, e.g. "semanage interface -a -r s1 ... eth2". 2. I would avoid using existing non-netif type names for your network interfaces, e.g. "semanage interface -a -t my_netif_t ethX". While technically I don't think there is anything wrong (I may be wrong here) with using "user_t", it will probably help you to keep things straight if you use a type that is netif related. > It appears that the MLS policy isn't being enforced, or I am missing > something. You're missing a few more steps, but first, as Chris has already mentioned, check that you are not operating in the *dreaded* (feel free to add appropriate emphasis) "compat_net" mode. See Chris' response to see how to check this on your system. Assuming you are not in compat_net mode, you want to follow the instructions outlined on the page below (using your values of course): * http://paulmoore.livejournal.com/5536.html The basic idea is that you need to do the following things to start enforcing SELinux network policy on modern kernels: 1. Set the network interface labels to match the security attributes of their network. (You've pretty much done this already, see my earlier comments) 2. Configure some form of labeling for incoming network traffic; if you aren't using either CIPSO or labeled IPsec - and odds are very good that you are not - you should configure a static label for incoming network traffic on each of your interfaces. For example, a basic configuration that would match your eth1/s0 and eth2/s1 requirement would look like this (only IPv4 addresses shown in this example): # netlabelctl unlbl add interface:eth1 address:0.0.0.0/0 \ label:system_u:object_r:netlabel_peer_t:s0 # netlabelctl unlbl add interface:eth2 address:0.0.0.0/0 \ label:system_u:object_r:netlabel_peer_t:s1 3. Write a policy module to match your desired network access control requirements and you are all set. -- paul moore www.paul-moore.com