Hello,
I have been using the same policy, which I have customized, for a few
years now. When I upgrade my OS (I believe I originally developed the
policy on Fedora 6) I use the same policy and compile it with the new
compiler. The message from checkpolicy when I started using this policy
was that the binary representation was version 6. I upgraded to version
7 and version 8 without any difficulties. I have recently upgraded to a
version of the compiler that outputs version 10. With this version all
constraints on both netif and node have no effect on my policy. I have
done some troubleshooting by simplifying the personalized policy to the
point that now I am only looking at the following constraint:
constrain netif { dccp_recv dccp_send egress ingress rawip_recv
rawip_send tcp_send tcp_recv udp_send udp_recv }
(
t1 == can_access_internet and r1 == standard_r
);
I had previously been able to successfully constrain Eth0, as well as
several nodes I had defined. One of these constraints was for an rdc
connection to a company server (used on a "work" user account), which
was restricted to one ip address; and another was for my young son, to
keep him limited to his "pbs kids" site. This is the primary reason I
have used SELinux, although I am sure the other protections have been
helpful as well.
I have already upgraded the policy to the most recent reference policy
in an effort to resolve the issue. The only result was additional
difficulties which were the result of labeling changes in the policy.
After resolving those difficulties, I am back to my original problem.
I am wondering what changes have been made in the policy compiler that
could cause this change in behavior, and how I need to modify my policy
in order to get the node and netif based constraints working again. If
anyone has any ideas that would help my to resolve the problem I would
appreciate it.
-Ken-
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
