On Fri, 21 Aug 2009, Jason Shaw wrote: > In FC-11, under the targeted policy, is it possible to label an ethernet > interface (such as eth0, eth1) with a specific MCS category? > > Example: > 1) Use semanage to assign user1 to s0:c5 > 3) Assign eth0 to s0:c4 (Can this be done?) > 4) Assign eth1 to s0:c5 > > Desired result: if user1 tries to ping -I eth1 <ip_address> the ping command > will work (as both eth1 and user1 have category c5). If user1 tries to ping > -I eth0 <ip_address>, the ping command will not work (category mismatch > between user and eth1). It should be possible to do this via iptables and SECMARK. i.e. match all packets on ethN and label with the MCS category then use the SELinux packet flow policy rules. I haven't looked at this stuff for a while, so cc'ing Paul Moore, who maintains the code. -- James Morris <jmorris@xxxxxxxxx> -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
