SELinux/Networking

SELinux supports multiple networking related access controls. Alongside the TCP and UDP socket support, it also supports packet labeling (through SECMARK) and even peer labeling where the label of a process on one system is reflected in the data communication towards the other system, providing end-to-end policy decisions to be taken.

TCP and UDP socket support
The default access controls for networking by SELinux are based on the labels assigned to TCP and UDP ports and sockets. For instance, the TCP port 80 is labeled with  (and class  ). Access towards this port is then governed through SELinux access controls, such as name_connect and name_bind.

When an application is connecting to a port, the name_connect permission is checked. However, when an application binds to the port, the name_bind permission is checked.

SECMARK
With SECMARK, it isn't the port that is labeled, but the network package itself.

When a network package is handled by the Linux kernel, the  or   code can be used to manage how these packages are handled. With SECMARK, one of the rules that can be implemented is to add a label to these packages. Once network packages are labeled, SELinux access controls can be implemented on these packages.

Now, it isn't that the network packages themselves are physically labeled - it is only on the current host that labels are assigned to the packages. That means that SECMARK is a local aspect for labeling. Labels are not traversing the network interface boundary at all.

Once SECMARK labeling is in place, the  class is enabled with the   and   permissions. For instance:

Listing labels on TCP and UDP sockets
With  and , labels assigned to TCP and UDP sockets can be (re)viewed.

For instance, to check the label on the TCP port 80 with :

To check the label for port 9001 with :

Changing socket labels
When the port is labeled with one of the following labels, then it can be modified to have a different label:
 * (for 1024+ ports that are not directly assigned yet)
 * (for 512-1023 that are not directly assigned yet)
 * (for 1-511 that are not directly assigned yet)

So assign a specific label, use  like so:

Removing custom port labeling
When a label was assigned through, it can be removed with   as well:

Listing domains with access to a particular port
To query which domains have access to a particular port, use the  command, like so:

Listing SECMARK firewall rules
To list the current SECMARK label rules, use. SECMARK labels are usually assigned to a "mangle" table.

Adding a SECMARK labeling rule
For instance, to label packets that originate from 192.168.1.2 and arrive on port 443 with the  label: