Layered Network Interfaces08 Nov 2010 tags: selinux
If you’ve ever configured a tagged VLAN on a Linux system you know that for each VLAN ID on the system there exists a matching network interface, this is a nice feature that helps ease the pain of managing multiple VLANs but it presents an interesting question for SELinux administrators: how do the interface level access controls work? Since the individual VLAN interfaces are “layered” on top of the underlying physical interface, do the SELinux access controls happen at the physical interface, the VLAN interfaces or both?
It turns out the answer is quite simple and applies regardless of how many layers of network interfaces you have configured; the SELinux interface level network access controls are applied to traffic as it pass through the top most interface layer. In the case of a system configured with multiple tagged VLANs, the access controls are applied at the VLAN interface layer. In the case of a system configured with multiple tagged VLANs running on top of a bonded interface running on top of a pair of physical interfaces, the access controls are applied at the VLAN interface layer. Regardless of the number of interface layers, the SELinux access controls are always applied to the top most interface layer.
Further, assigning SELinux security labels to these pseudo-interfaces is done the same way you would for a regular physical interface: using the semanage tool. Once you have the interfaces labeled, you can start defining your network access control policy just as if you were working with a physical interfaces.