On Thu, 2008-12-11 at 14:44 -0500, Doug Sikora wrote: > thanks Stephen, > > Is there another option for sending/receiving packets ? Sending/receiving of packets is controlled by other permission checks. There are the secmark-based checks (label packets via iptables, use the :packet send/recv permissions to control), and there are the labeled networking checks (configure netlabel or labeled ipsec and apply their checks). > In this situation , I would like both. > > I did get this information from Forrest (Thanks again Forrest) concerning the base policy. Once I reviewed the source code it wasn't too bad to figure out. It makes a good reference. I am adding it to this thread. If your version of semanage supports the node contexts, then you shouldn't have to rebuild your base policy. > #########BEGIN > > To limit this, you have to recompile the base policy package and define > a new node name. > > For instance, the inaddr_any_node_t is defined: > > type inaddr_any_node_t alias node_inaddr_any_t, node_type; > nodecon 0.0.0.0 255.255.255.255 system_u:object_r:inaddr_any_node_t > > > Similarly, you could do the same thing for a new type: > > type blue_node_t, node_type; > nodecon 10.0.5.1 255.255.255.255 system_u:object_r:blue_node_t > > The problem in implementing this, is that you have to have the exact IP > address that will be used in the field. Also, changing the base policy > means you have to redo this change every time there is a new policy > provided by Red Hat (as an update). > > ########END > > > > Doug > > ----- Original Message ----- > From: "Stephen Smalley" <sds@xxxxxxxxxxxxx> > To: "Doug Sikora" <dsikora@xxxxxxxxxx> > Cc: fedora-selinux-list@xxxxxxxxxx > Sent: Thursday, December 11, 2008 2:32:48 PM GMT -05:00 US/Canada Eastern > Subject: Re: using selinux to allow only certain hosts or networks > > On Tue, 2008-12-09 at 09:15 -0500, Doug Sikora wrote: > > The below rules came from audit2allow, > > > > allow test_t inaddr_any_node_t:tcp_socket node_bind; > > allow test_t inaddr_any_node_t:udp_socket node_bind; > > > > Instead of allowing "any_node" I would like to limit this to specific hosts and or networks. > > > > Does anyone know the syntax for this? > > Note that the check above is only dealing with binding to an address, > not sending/receiving packets. Is binding what you want to limit to > specific addresses? > > If so, you need to define types for the addresses (via local policy > module) and map the addresses to those types (via semanage node). > -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
