On 08/29/2010 12:26 AM, Mr Dash Four wrote: > I am trying to restrict an application I have installed to have access > to a specific network interface only (tun0). > > Are all network interfaces labelled 'automatically' by SELinux with > 'netif_xx_t' or do I have to label them manually from the policy file? > If I have to do that manually is it done with the network_interface(...) > macro? > > Also, if I relabel the interface would I have to amend all other > policies for applications which need access to that interface > (applications which use the 'generic' naming - netif_t) or is this not > necessary? > > I've seen there is a macro in corenetwork.if.in called > 'corenet_all_recvfrom_labelled' - is that macro allowing me to receive > packets from labelled interface? I think you indeed have to declare new network interface types if you want to differentiate between the various network interfaces in targeted policy using network_interface() The, i think you would have to manually label the interfaces using semanage i think. or maybe the network_interfaces() interface takes care of labelling. Not sure By default most domains are allowed to use any network interface. The have access to the netif_type network interface attribute that is assigned to all network interface types (probably via network_interface() That , i think, probably means that you would have to replace the rules allowing the domain to use all network interfaces by rules that govern more specific access to the various network interface types. You can probably test this by auditing grants. auditallow domain netif_type:netif *; or something along those lines. try it i would say. > Thanks in advance! > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
