Hide Forgot
Description of problem: Since compat_net was removed from the kernel, there are no controls on low level stuff that doesn't go through SECMARK, such as packet_socket and rawip_socket. Version-Release number of selected component (if applicable): N/A How reproducible: Always Steps to Reproduce: 1. Install the SELinux policy sources 2. Remove all network permissions from a program such as dhcpc_t from the SELinux policy. (packet, netif, node, port) (comment out every line of policy/modules/system/sysnetwork.te that starts with corenet) 3. Compile and install policy 4. Clear out audit log and reboot computer Actual results: dhcpc works fine and the network interfaces get IPs. Expected results: dhcpc gets denied access to the network Additional info: This bug probably exists on Fedora 15 and RHEL6 as well
Any thoughts on this Dan?
sesearch -A -s dhcpc_t
I have a feeling you are getting allow rules from another interface.
There are controls for the "low level stuff", in fact the controls are much more comprehensive than they were in the compat_net days. What you are looking for are commonly called the SELinux ingress/egress controls and there are a few posts which highlight the basic functionality: * http://paulmoore.livejournal.com/2128.html * http://paulmoore.livejournal.com/5536.html Please keep in mind that SELinux typically only enforces network access controls on AF_INET or AF_INET6 sockets; raw or packet sockets do not have any per-packet access controls. This is not new, this limitation was present even during the compat_net days as supporting these types of sockets would involve parsing packets by hand in the SELinux code, not something we want to do. If you want to restrict applications that use raw or packet sockets, you should use the existing SELinux socket permissions.
In your example for network ingress/egress controls you have a labeling of netif which I didn't think worked anymore since the compat_net code was removed. Also in RHEL5 I see plenty of denials at the udp level for dhclient (port/node/netif) using compat_net. I am going to switch my RHEL5 system off of using compat_net and see if I can control the program using the new controls. I also would like to see if dhclient in RHEL6/FC14 is really switched completely to raw/packet sockets and is totally uncontrollable via SELinux (other than the fact that you can say can network or not with a self perm on the sockets). If I am misunderstanding something please let me know, I just want to be sure everything works as advertised.
(In reply to comment #5) > In your example for network ingress/egress controls you have a labeling of > netif which I didn't think worked anymore since the compat_net code was > removed. It still works, trust me. If it doesn't, let me know and we'll fix it. Interface and address labeling was preserved as that is still important, the access controls are what has changed. > Also in RHEL5 I see plenty of denials at the udp level for dhclient > (port/node/netif) using compat_net. I am going to switch my RHEL5 system off > of using compat_net and see if I can control the program using the new > controls. Unfortunately, the ingress/egress controls do not exist in RHEL5 kernels, you need to use a more modern kernel, e.g. RHEL6. > I also would like to see if dhclient in RHEL6/FC14 is really > switched completely to raw/packet sockets and is totally uncontrollable via > SELinux (other than the fact that you can say can network or not with a self > perm on the sockets). If I am misunderstanding something please let me know, > I just want to be sure everything works as advertised. Understood. I can't speak to how dhclient uses the network off the top of my head, but if it uses AF_INET[6] sockets you should be able to apply per-packet access controls via SELinux. If it uses raw/packet sockets, you're stuck with the per-socket controls. I'm going to suggest that we close out this BZ and if Brian does find a problem using the new ingress/egress controls he can open a new BZ with the relevant details. Does that work for everyone?
Hearing no objections, I'm closing this bug.
(In reply to comment #7) > Hearing no objections, I'm closing this bug. Scratch that, it doesn't look like it will let me. I assume Brian or Miroslav will need to close this issue.
dhcpc doesn't use udp packets anymore due to a change in the kernel which now requires a NIC to have an IP address, therefore dhcpc apparently uses packet_sockets which are not controlled by SELinux