On 07/24/2009 03:53 PM, Stephen Smalley wrote: > On Fri, 2009-07-24 at 15:47 -0400, Casey Dahlin wrote: >> A couple of mentions of SELinux have cropped up in the FireKit thread, which got me thinking about the Firewall and SELinux and ways in which they are similar. I had the following thought: >> >> SELinux already has a lot of policy information from which we might like to determine whether ports should be open to a particular program. The simplest mechanism I can see for doing that is to allow SELinux context to be referenced in the firewall rules. This prevents either system from having to be grotesquely modified. >> >> An example rule might look like this: >> >> -A INPUT -Z apache_t -j ACCEPT >> >> Here we tell the firewall to allow incoming traffic that will be intercepted in userspace by a process in the apache_t context. >> >> This does break in at least one way from traditional SELinux policy: something external to SELinux is interpreting the meaning of the context. The firewall rules can change while the actual SELinux policy stays put. I don't know how serious a problem that is (if it is one). >> >> Thoughts? > > SECMARK already allows you to label packets using iptables and then use > SELinux policy to control sending or receiving them. > > http://paulmoore.livejournal.com/4281.html > > There are also the name_connect and name_bind controls that regulate the > ability to connect or bind to specific ports via policy. > This is a very different mechanism. The idea behind my proposal is it allows a packet to be routed based on who is going to receive it. SECMARK, it seems, is designed to control who receives a packet based on how it is being routed. I don't know if you get the same effect this way. --CJD -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
