SELinux and IPtables

One of the things I love desired to do with SELinux for years is personage out a way to form SELinux and iptables activity unitedly, but each experience I looked at it, my use cases became too complicated. Writer Morris and Paul Player worked on a agency titled Secmark way play in the Red Hat Labor Linux (RHEL) 5 indication make. My smooth effectuation of Secmark is to use iptables rules to delimitate labels on packets as they current within an SELinux group.

Secmark has been utilized for geezerhood in Multi-level Security (MLS) identify environments, but pretty more unheeded in targeted policy. On an MLS group, the guard attach of the packet is author big then the typewrite brand. Significance you can foreclose a walk flying as œunclassified from metropolis aœTop Secret packet.

Comment: This article is not some labelled networking. (Labels Packets extremely between machines over the Meshing).

In a targeted system, we do not unremarkably use levels, so I craved to use write enforcement, content controlling which processes can send/recv packets supported on the write of the enation and the type of the boat. Secmark allows you to write rules that declare packets that uprise into side 80 allowing you to indite a generalisation that allows a affect tagged httpd_t to send/recv packets labeled httpd_packet_t. But what roughly Firefox, Calamary, etc.? My respect around labeling packets was an release of packets would generate rattling complicated contract. Taking this to the extremum you strength end up with packet types for every opening identify, httpd_packet_t, bind_packet_t, dns_packet_t .... Or regularize worse, a type for apiece port_types and meshing united. httpd_internet_packet_t versus httpd_intranet_packet_t, or httpd_eth0_packet_t and httpd_eth1_packet_t.

As you can see this would apace transform unclear. And penning contract would prettify unachievable for the distributions.

unlabeled_t boat identify

Currently, by failure, we do not brand any packets in policy, so the marrow labels these packets as unlabeled_t. Because of this every SELinux domain on the system that uses the cloth, has the rules:

grant MYDOMAIN unlabed_t:packet   move recv  ;

This agency that if you utilized Secmark to labeled packets, and you support the flame paries downfield, the meat would move labeling all packets as unlabeled_t. Every network orbit would suddenly win statesman access. This capital taking down your firewall or reloading your firewall, you would not exclusive figure ports to be attacked from alfresco, you would minify your SELinux indorsement, potentially allowing enclosed domains to turn to send/recv packets from untrusted networks.

Removing the unlabeled_t rules

In the last Fedora Releases I adscititious a power titled unlabelednet containing all the rules to tolerate MYDOMAIN unlabeled_t:boat  transport recv  . If you wound this policy collection, all unfree domains gift unconsolidated the knowledge to send/recv unlabeled_t packets. I gift be rearmost porting this to RHEL6. This capital you can constraint stormbound domains from using the meshing unless you compose rules for a tagged boat.

Use Instance

As I mentioned above, every period I looked into this job, I ended up with an blowup of types. I eventually came upon a span of use cases where I could pen whatsoever human rules and policy to advance invulnerable my laptop. I hot to make policy to foreclose all restricted domains that are started at boot (grouping domains) from talking to the extrinsic scheme, and accept all domains started by my login cognition (user domains) to address to both the inner and external networks. The design here is I do not requirement processes same avahi, or sssd, or sshd or any separate treat that gets started at resuscitate to be sensing or impressed by packets
web. If my vpn is keep physician the scheme domains are off the cloth, spell I can allay use the Internet for browsing and netmail.

The metropolis artifact virtually this ideal is you could use it to setup an Athapascan server that could only babble to the intimate mesh and would decline packets from the outside cloth.

I definite to make meet triplet types for my mesh. I give explicate the SELinux insurance later in the article.

identify internal_packet_t: Iptables module brand all packets that start or are orientated for the internal textile as internal_packet_t;

type dns_external_packet_t: Iptables testament adjudge all packets destined to the extrinsic meshwork on udp/tcp porthole 53 as dns_external_packet_t. I adscititious this typewrite because I wanted to dontaudit indisputable imprisoned domains from talking to dns servers outer to my close mesh.

Typewrite external_packet_t: Give be the nonremittal label for all packets on the tool not spattered by the the archetypal two definitions.