On Fri, 2005-11-18 at 15:17 +0000, Paul Howarth wrote: > Won't that kill all network access, including via localhost, rather than > just eth0 access? Well, yes, good point ;) Also looks like Dan reworked the old netifcon statements and netif types as part of the network macro work. Ok, so one approach might be to: - Add a netifcon statement to policy/net_contexts (between the portcon entries and the nodecon entries) to distinguish eth0: netifcon eth0 system_u:object_r:netif_eth0_t system_u:object_r:unlabeled_t - Add the type to policy/types/network.te (or anywhere in the policy): type netif_eth0_t, netif_type; - Change the allow rule in unconfined_domain from allow $1 netif_type:netif *; to: allow $1 netif_t:netif *; so that unconfined_t no longer gets access to all netif types, just the default one (which covers loopback). Looks like macros/network_macros.te already limits itself to netif_t:netif, so it will also cease granting access to eth0 when you make the above changes without needing to modify the macro itself. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
