Re: Label eth0 with a MCS security category?

On Fri, 21 Aug 2009, Jason Shaw wrote:

> In FC-11, under the targeted policy, is it possible to label an ethernet
> interface (such as eth0, eth1) with a specific MCS category?
>
> Example:
> 1) Use semanage to assign user1 to s0:c5
> 3) Assign eth0 to s0:c4 (Can this be done?)
> 4) Assign eth1 to s0:c5
>
> Desired result: if user1 tries to ping -I eth1 <ip_address> the ping command
> will work (as both eth1 and user1 have category c5). If user1 tries to ping
> -I eth0 <ip_address>, the ping command will not work (category mismatch
> between user and eth1).

It should be possible to do this via iptables and SECMARK.

i.e. match all packets on ethN and label with the MCS category then use the SELinux packet flow policy rules.

I haven't looked at this stuff for a while, so cc'ing Paul Moore, who maintains the code. -- James Morris <jmorris@namei.org> -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list

• This message: [ Message body ]
• Next message: Rob Crittenden: "sharing between dogtag and Apache"
• Previous message: Antonio Olivares: "can't install rawhide on Emachines ET-1161-05, anaconda traceback + selinux"
• In reply to: Jason Shaw: "Label eth0 with a MCS security category?"
• Next in thread: Anamitra Dutta Majumdar (anmajumd): "Adding AV assertion to selinux policy in RHEL5"
• Reply: Anamitra Dutta Majumdar (anmajumd): "Adding AV assertion to selinux policy in RHEL5"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]