ok, imattached also the community on this thread.
Please someone can help me?
Thanksa
Il giovedì 11 giugno 2015, Paul Moore paul@paul-moore.com ha scritto:
On Thu, Jun 11, 2015 at 4:22 PM, Maurizio Pagani <pag.maurizio@gmail.com javascript:;> wrote:
Any idea??? Please is important.
As Stephen already mentioned, please repost your question to the mailing list so that others can benefit.
Il giovedì 11 giugno 2015, Gmail <pag.maurizio@gmail.com javascript:;>
ha scritto:
Hi Stephen,
ok, but with peer labeling i saw that is not possible block a specific domain to use an interface labeled with netif_hostonly_t, right? If
not, how
can i block a specific domain, to use my network interface?
However the next questions, i'll write to distribution list
Thanks in advance,
Maurizio Pagani Systems and Security Specialist Kay Systems Italia www.ksi.it Viale Libano , 80 - 00144 Roma fax: +39 06 542799-60 mobile: +39 335 1382689 e-mail: maurizio.pagani@ksi.it <javascript:;>
-----Messaggio originale----- Da: Stephen Smalley [mailto:sds@tycho.nsa.gov javascript:;] Inviato: giovedì 11 giugno 2015 14:49 A: Gmail; paul@paul-moore.com javascript:;; james.l.morris@oracle.com
javascript:;; 'Daniel J
Walsh'; 'Dominick Grift'; 'Sven Vermeulen'; eparis@parisplace.org
Oggetto: Re: SELinux: Interface Labeling Problem
Is there a reason you didn't post this to selinux list (selinux@tycho.nsa.gov javascript:;, subscribe via
selinux-join@tycho.nsa.gov javascript:;)?
We prefer questions to go to the list so that they are archived for
others
and anyone in the community can respond to them.
In any event, SELinux network permission checks have changed over time. The netif { tcp_recv tcp_send udp_recv udp_send } checks were legacy network checks that were removed in Linux 2.6.30. netif { ingress
egress }
are newer checks that are only enabled if you have configured peer
labeling
via NetLabel or labeled IPSEC/xfrm.
On 06/11/2015 06:27 AM, Gmail wrote:
Hi everybody
I’m Maurizio Pagani (LordFire in #SELinux IRC freenode).
I write to you, because i’m implementing a SELinux solution with particular attention about Network Labeling.
I’m doing this trough some blog(Paul Moore in particular, Walsh and other) and books (Sven Vermeulen), but now i’m blocked in a little problem that cannot permit me to go on.
The subject is : *“Interface Labeling”.*
In few words i created a very simple policy called *“netif_hostonly_t”* the .te is this:
policy_module(netif_hostonly, 1.0.0)
require {
type unconfined_t; class netif { tcp_recv tcp_send udp_recv udp_send ingress
egress } ;
}
#I declare my type
type netif_hostonly_t;
allow unconfined_t netif_hostonly_t : netif { tcp_recv tcp_send udp_recv udp_send ingress egress } ;
*Next Step:*
semanage interface -a -t netif_hostonly_t eno50332208
I checked that is labeled correctly
But i don’t see any avc denied messages, this is the problem, i though that as always, SELinux block everything and after trough RAW SELinux language (allow/dontaudit/auditallow/neverallow), we can open specific communications, but instead i don’t see anything.
I’m wron something? It is not very clear on the web, or in the other blogs / books, because maybe i need of a SECMARK rule? But is not specific as a requirement, because also “port labeling” is used without set SECMARK rule.
Please i’m blocked with my customer project, for this (i think) stupid problem, maybe you know surely the solution, and can share with me.
Thanks in advace,
Maurizio Pagani
Avast logo https://www.avast.com/antivirus
Questa e-mail è stata controllata per individuare virus con Avast antivirus. www.avast.com https://www.avast.com/antivirus
Questa e-mail è stata controllata per individuare virus con Avast antivirus. https://www.avast.com/antivirus
-- paul moore www.paul-moore.com
selinux@lists.fedoraproject.org