Re: netif labelling
On 08/29/2010 06:02 PM, Mr Dash Four wrote:
> I think you indeed have to declare new network interface types if you
> want to differentiate between the various network interfaces in targeted
> policy using network_interface()
>
This is what is defined in corenetwor.te.m4:
#
# network_interface(if_name,linux_interface,mls_sensitivity)
#
define(`network_interface',`
gen_require(``type unlabeled_t;'')
type $1_netif_t alias netif_$1_t, netif_type;
declare_netifs($1_netif_t,shift($*))
')
So, by that I am assuming that if I include
'network_interface(tun0,tun0,s0)' (in corenetwork.te.in instead of 's0'
there is 's0 - mls_systemhigh' - does that matter?) in my policy file
this is all I need to do, right?
i would probably use s0 - mls_systemhigh if possible for compatibility
with mls policy
Also, as part of the policy I wish to enable/restrict the program to
connect on mysqld port, but ONLY on the local (lo) interface and then
listen/bind on a predefined port but on the tun0 interface. How do I do
that? There are 2 relevant macros in corenetwork.te.m4 for this:
corenet_tcp_bind_voip_sandbox_port(voip_sandbox_t)
corenet_tcp_connect_mysqld_port(voip_sandbox_t)
those are unrelated to netif related policy.
Basically when you declare a netif type there are probably interface
create that provide access to your network interface type. That is what
governs whether your app can or cannot use it. If your app cannot use a
network interface, then it cannot use it to connect to mysqld.
which are taken from:
########################################
## <summary>
## Bind TCP sockets to the $1 port.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_tcp_bind_$1_port',`
gen_require(`
$3 $1_$2;
')
allow dollarsone $1_$2:tcp_socket name_bind;
$4
')
and
########################################
## <summary>
## Make a TCP connection to the $1 port.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`corenet_tcp_connect_$1_port',`
gen_require(`
$3 $1_$2;
')
allow dollarsone $1_$2:tcp_socket name_connect;
')
For me it is clear that $1 is the port type (voip_sandbox and mysqld in
my case) and 'dollarsone' expands to the parameter in brackets
(voip_sandbox_t in my case), but what are $2, $3 and $4 (in the 1st
macro above) and what values to these have? The <param> tag does not
describe any of these and I cannot find any reference anywhere! Would
SLIDE have picked up those?
The $1_$2 is probably some hack to make it work. its just the single
parameter $3 (domain)
If I manage to 'decipher' these I may restrict the above
statements to
the proper net device type if there is no suitable other macro found,
but as it stands I am a bit stuck!
Like i said above the rule has nothing to do with network interfaces. It
governs access for specified domain to connect to tcp ports.
Also you've taken the above interface block from the template file. This
file is used to automatically generate interfaces for declared port types.
Attachments:
- signature.asc (application/pgp-signature — 261 bytes)