[refpolicy] MLS policy and networking

Paul Moore paul at paul-moore.com
Thu Mar 8 12:30:44 CST 2012 

On Tuesday, February 28, 2012 02:07:52 PM David Shifflett wrote:
> I am trying to use the MLS policy to control access to various
> networks.
> 
> I am running on Fedora 13,
> # sestatus
> reports - enabled, mode enforcing, policy version 24, policy file mls
> 
> My system has eth1 192.168.2.1, and eth2 192.168.3.1.
> 
> I am trying to set the contexts correctly so that processes
> with a sensitivity of s0 can use eth1,
> and a sensitivity of s1 can use eth2
> 
> Nothing I have tried prevents a process at s1 from accessing
> a node/interface/port with a sensitivity of s0.
> 
> Here is what I have tried:
> (set everything to s0)
> semanage interface -a -r s0 -t user_t eth1
> semanage interface -a -r s0 -t user_t eth2
> semanage node -a -r s0 -t user_t -M 255.255.255.0 -p ipv4 192.168.2.1
> semanage node -a -r s0 -t user_t -M 255.255.255.0 -p ipv4 192.168.3.1
> semanage port -a -r s0 -t user_t -p tcp 55055

...

> # semanage interface -l
> eth1 system_u:object_r:user_t:s0
> eth2 system_u:object_r:user_t:s0

Sorry for such a late response, but I would suggest the following changes:

1. If you want only "s1" labeled traffic on eth2, you should probably label it 
as such, e.g. "semanage interface -a -r s1 ... eth2".

2. I would avoid using existing non-netif type names for your network 
interfaces, e.g. "semanage interface -a -t my_netif_t ethX".  While 
technically I don't think there is anything wrong (I may be wrong here) with 
using "user_t", it will probably help you to keep things straight if you use a 
type that is netif related. 

> It appears that the MLS policy isn't being enforced, or I am missing
> something.

You're missing a few more steps, but first, as Chris has already mentioned, 
check that you are not operating in the *dreaded* (feel free to add 
appropriate emphasis) "compat_net" mode.  See Chris' response to see how to 
check this on your system.

Assuming you are not in compat_net mode, you want to follow the instructions 
outlined on the page below (using your values of course):

 * http://paulmoore.livejournal.com/5536.html

The basic idea is that you need to do the following things to start enforcing 
SELinux network policy on modern kernels:

1. Set the network interface labels to match the security attributes of their 
network. (You've pretty much done this already, see my earlier comments)

2. Configure some form of labeling for incoming network traffic; if you aren't 
using either CIPSO or labeled IPsec - and odds are very good that you are not 
- you should configure a static label for incoming network traffic on each of 
your interfaces.  For example, a basic configuration that would match your 
eth1/s0 and eth2/s1 requirement would look like this (only IPv4 addresses 
shown in this example):

 # netlabelctl unlbl add interface:eth1 address:0.0.0.0/0 \
                         label:system_u:object_r:netlabel_peer_t:s0
 # netlabelctl unlbl add interface:eth2 address:0.0.0.0/0 \
                         label:system_u:object_r:netlabel_peer_t:s1

3. Write a policy module to match your desired network access control 
requirements and you are all set.

-- 
paul moore
www.paul-moore.com

More information about the refpolicy mailing list