It sounds like something that looks at an SELinux policy's rules for SECMARK and generates corresponding iptables rules would amount to the same thing you have in mind. Since you load new SELinux policy in a big static-switch sort of way, it doesn't seem much different in a way you could discern whether you actually have the firewall driven off the AVC stuff "dynamically" or if you just "statically" generate a set of firewall rules based on SELinux policy. I suppose you could just integrate this into iptables userland so that the "-Z" syntax you suggested would just look up current SELinux policy for everything with that label and generate corresponding rules, though you might want those rules marked somehow so that that a policy reload automagically regenerated them. OTOH, it seems fine enough to me to just leave that in scriptland, so "service iptables reload" recomputes from the current SELinux policy, and maybe the normal ways to install a policy change do that automatically. Perhaps the difference is that you have the firewall ports open even when nothing running has those ports bound. Actually, I'm not sure if that wouldn't have been true with what you suggested anyway. A lax SELinux policy might be allowing anyone to bind to the SECMARK labels for those ports, not just the daemon you have in mind. (i.e. the targeted policy uses SECMARK to constrain that daemon to binding only those particular ports, but doesn't prevent random unconstrained_t processes from binding them.) Thanks, Roland -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
