From: pcclark@nps.edu (Paul Clark)
Date: Thu, 29 Mar 2012 13:51:27 -0700
Subject: [refpolicy] MLS ping?
Message-ID: <4F74CB4F.8040305@nps.edu>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

With a modified MLS policy (described below):
I can connect from SELinux (Fedora 13) to other systems.
But, I cannot ping from other systems to SELinux.

Configuring two interfaces with different MLS labels, I can ping from 
SELinux to other non-SELinux systems on both interfaces, but I cannot 
ping to SELinux on either interface. I can ssh to SELinux on the 
interface labeled s0. (I understand the failure of ssh through the 
interface labeled s1 because sshd is at s0.  Of course, that may not be 
why it is failing).

I have two interfaces configured as follows:

Using semanage:
eth0 = system_u:object_r:netif_t:s0
eth1 = system_u:object_r:netif_t:s1

Using netlabelctl:
interface eth0
   address:0.0.0.0/0
   label: "system_u:object_r:netlabel_peer_t:s0"
interface eth1
   address:0.0.0.0/0
   label: "system_u:object_r:netlabel_peer_t:s1"

I modifed the MLS policy as follows:
   allow kernel_t netif_t : netif egress;
   corenet_inout_generic_if(netlabel_peer_t)
   corenet_inout_generic_node(netlabel_peer_t)
   allow ping_t netlabel_peer_t : peer recv;

The following audit record would indicate that when responding to a ping 
request received on eth1, the kernel is operating at system high and 
therefore cannot write down to eth1.  But that doesn't explain why I can 
ping on eth0 at s0.
type=AVC msg=audit(13330453265.336:92_: avc: denied {egress} for 
saddr=192.168.0.13 daddr=192.168.0.14 netif=eth1 
scontext=system_u:system_r:kernel_t:s15:c0.c1023 
tcontext=system_u:object_r:netif_t:s1 tclass=netif

Any thoughts?

-Paul