Enabling the Network Ingress/Egress Controls

There have been quite a few questions lately about how to enable the SELinux network ingress/egress controls on recent Fedora releases. This is good because it means people actually want to use this stuff, but it is also bad because it tells me that I haven't done a very good job explaining how to use them. Actually, looking back on this site I see that while I've written about the ingress/egress controls I haven't described how you would enable them on a modern Linux distribution. Ooops.

However, fear not faithful readers and confused administrators, for this is post shall explain, in four easy steps, how to enable the SELinux network ingress/egress controls. Without further ado, let's begin ...

The first step is to ensure you have the netlabel_tools package installed. This is necessary because the netlabel_tools package contains the netlabelctl application which we will be using to configure NetLabel in the final step. Using yum you should be able to install netlabel_tools with the following command:

# yum install netlabel_tools

After you have installed the netlabel_tools package the next step is to ensure you have a SELinux policy module loaded which defines at least two new types: one to be assigned to a network interface and another to be assigned to network traffic. To be honest, you'll probably want to create more than just those two types but that will be dependent on your particular configuration; for more information I suggest you look at my original post on the ingress/egress controls where I go into more detail on the policy aspect of these controls. Regardless of what you decide, for the example here I will be using "foo_netif_t" for the network interface type and "foo_peer_t" for the network traffic type.

With the SELinux policy module loaded and our new types defined, it is time to assign our new network interface type to an interface on the system. We use the semanage tool to manipulate the SELinux types assigned to network interfaces, in order to add a type to an interface, "eth2" in this example, we use the following command:

# semanage interface -a -t foo_netif_t eth2

We can verify that the interface is assigned the correct type with the following command:

# semanage interface -l
SELinux Interface              Context
eth2                           system_u:object_r:foo_netif_t:s0

Now that we have the network interface labeled the final step is to setup some form of peer labeling on the network. For many of you not using CIPSO or labeled IPsec, this means configuring NetLabel's static/fallback labels. In this example, we are going to configure all of the IPv4 and IPv6 traffic entering the system via "eth2" as having the "foo_peer_t" label; we do this with the following command:

# netlabelctl unlbl add interface:eth2 address:0.0.0.0/0 
label:system_u:object_r:foo_peer_t:s0
# netlabelctl unlbl add interface:eth2 address:::/0 
label:system_u:object_r:foo_peer_t:s0

We can verify the configuration with the following command:

# netlabelctl -p unlbl list
Accept unlabeled packets : on
Configured NetLabel address mappings (2)
 interface: eth2
   address: 0.0.0.0/0
    label: "system_u:object_r:foo_peer_t:s0"
   address: ::/0
    label: "system_u:object_r:foo_peer_t:s0"

At this point the SELinux network ingress/egress control should be up and running on your system. As a reminder, you'll want to be sure to have all the right allow rules for these new controls in your SELinux policy as simply adding the types without the allow rules could result in a total loss of network access; because of this I recommend you do this with SELinux in permissive mode until you are comfortable with how the system operates.