Re: default deny for uncofined_t using targeted?: msg#00073

Steve Brueckner wrote:

Stephen Smalley wrote:

On Fri, 2005-11-18 at 15:17 +0000, Paul Howarth wrote:

Won't that kill all network access, including via localhost, rather
than just eth0 access?

Well, yes, good point ;)

Also looks like Dan reworked the old netifcon statements and netif

types as part of the network macro work.

Ok, so one approach might be to:
- Add a netifcon statement to policy/net_contexts (between the
        portcon entries and the nodecon entries) to distinguish eth0:
netifcon eth0 system_u:object_r:netif_eth0_t
        system_u:object_r:unlabeled_t - Add the type to
policy/types/network.te (or anywhere in the policy): type
        netif_eth0_t, netif_type; - Change the allow rule in

unconfined_domain from allow $1 netif_type:netif *;to:

        allow $1 netif_t:netif *;
so that unconfined_t no longer gets access to all netif types, just

the default one (which covers loopback).

Looks like macros/network_macros.te already limits itself to
netif_t:netif, so it will also cease granting access to eth0 when you

make the above changes without needing to modify the macro itself.


Well this seemed to be working, but then something strange happened.  I
wanted ssh to work over eth0, so I added this to domains/program/ssh.te:
        auditallow sshd_t netif_type:netif *;
        allow sshd_t netif_type:netif *;

This single change allowed ssh to use eth0, but apparently it also allows
anything in unconfined_t to access eth0 also!  For example, when I run nmap
192.168.1.109 it is no longer blocked:

type=AVC msg=audit(1134421016.167:1744): avc: granted { rawip_send } for
pid=2854 comm="nmap" saddr=192.168.1.80 src=55724 daddr=192.168.1.209
dest=1502 netif=eth0 scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:netif_eth0_t tclass=netif

Am I missing something fundamental or is this a bug?  It seems to me that
giving sshd_t access to eth0 shouldn't also cause everyone in unconfined_t
to have access to eth0.

sshd_t is an alias for unconfined_t, in targeted policy.

Thanks for your help so far,

Stephen Brueckner, ATC-NY

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--

<Prev in Thread]	Current Thread	[Next in Thread>

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re: Adding two new booleans to httpd to tighten it's security., Robert L Cochran
Next by Date:	Re: Adding two new booleans to httpd to tighten it's security., Daniel J Walsh
Previous by Thread:	RE: default deny for uncofined_t using targeted?, Steve Brueckner
Next by Thread:	How to setup a single user with almost no rights..., Pigeon
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Re: Adding two new booleans to httpd to tighten it's security., Robert L Cochran

Next by Date:

Re: Adding two new booleans to httpd to tighten it's security., Daniel J Walsh

Previous by Thread:

RE: default deny for uncofined_t using targeted?, Steve Brueckner

Next by Thread:

How to setup a single user with almost no rights..., Pigeon

Indexes:

[Date] [Thread] [Top] [All Lists]

Free Magazines

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe