From: paul@paul-moore.com (Paul Moore) Date: Mon, 12 Mar 2012 09:30:04 -0400 Subject: [refpolicy] MLS policy and networking In-Reply-To: <4F5A8524.8020507@nps.edu> References: <4F4D5038.3090001@nps.edu> <4257537.7ZZEJ7UAa5@sifl> <4F5A8524.8020507@nps.edu> Message-ID: <2111960.bRKSTJOWmF@sifl> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Friday, March 09, 2012 02:33:08 PM David Shifflett wrote: > Ok, given the below info, I'll re ask my original question. > > I don't care about labeling all the network traffic or packets. > I want to label the interface and have the system enforce the policy based > on the process label and the interface label. All of my original advice still applies. * http://paulmoore.livejournal.com/5536.html > If I use semanage to label the eth1 interface s0 and the eth2 interface s1 > > Why is a process at s1 allowed to access eth1? Short answer: because you've only half-way configured the labeled networking access controls. Longer answer: for both performance and policy reasons, the network access controls lie dormant/disabled until you fully configured them. Once they are fully configured then they will become active and you can start enforcing the access controls you describe above. When you only run the semanage commands as you've described above, you can't enforce the network access controls as the network traffic "loops back" into the system after being sent. > I am not in 'compat_net' mode, so if semanage isn't that right way to label > the interface, should I use SECMARK, or netlabelctl? You should be using the commands I sent you earlier. It may not be as simple as you want it to be, but it is the way it works. > BTW, I agree, clear as mud :) > > dave > > Paul Moore wrote: > > > > * The semanage tools is simply a tool which assigns labels to resources > > and > > entities on the system. In the case of network related "things" it can > > assign labels to interfaces and proto/port combinations. It is important > > to note that semanage does not label network traffic. > > > > Hopefully that makes it all as clear as mud :) > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- paul moore www.paul-moore.com