On Thu, 2005-11-17 at 18:32 -0500, Steve Brueckner wrote: > Can anyone tell me if there is a way to use SELinux under the targeted > policy to enforce a default deny rule that prevents all processes from > accessing the network? That is to say, all types including unconfined_t may > not access eth0, with just a few excepted types that are allowed to network? > I'm trying to lock down a system from the inside without having to deal with > the strict policy. SELinux denies anything that isn't explicitly allowed, so this is just a matter of modifying the policy to not allow such network access in the first place, e.g. - remove the network-related rules from the policy/macros/global_macros.te:unconfined_domain() macro, - remove all uses of the network macros from the other .te files except where you want to preserve such access, or remove the allow rules from the network macros (policy/macros/network_macros.te) and then add them back selectively to the desired domains. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
