On Fri, 2005-04-22 at 20:46 +0200, Thomas Bleher wrote: > I had an idea a while ago which may help you. I wanted to implement it > myself but don't have time to do any kernel-hacking currently, so if you > want to try it, feel free. > My idea was to build an iptables modules similar to the "Owner match" > module which matches locally generated packets against a specific domain. > That way you could probably achieve most of what you want. > One problem here is: how do we cleanly match on security context? All > the logic should be in the security server and controllable by policy. > The most sane way I came up with is this: > Declare a new class "iptables" (or "netfilter") with one permission > "match". Then put this into policy: > allow domain self:iptables match; > The usermode iptables code passes a complete security context into the > kernel which is converted into a sid internally. Now everytime the > iptables module is called on a packet it asks the avc if <sid of sending > packet>:<sid passed into kernel>:IPTABLES__MATCH is allowed in the > policy. > I do not know if this is the best approach but it does allow matching on > specific domains, on specific contexts (if the constraints are adjusted) > or on a group of domains (you could add a dummy type all_userdomains_t > and add "allow userdomain all_userdomains_t:iptables match;" or > something like that and then match on all_userdomains_t in the iptables > rule) > > I think such a module would be very useful. For example, the admin may > want to specify that mozilla may only talk to the internal proxy server. > > Of course, this depends on the fact that such a module is actually > doable and sane. I looked at the code but I am no kernel hacker so I > would appreciate any insight/ideas. LIDS seems to have supported something similar at one time using the iptables MARK module: http://www.lids.org/document/lids_worm.html -- Stephen Smalley <sds@xxxxxxxxxxxxx> National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
