On 08/29/2010 12:54 AM, Mantaray wrote: > Mr Dash Four wrote: >> I am trying to restrict an application I have installed to have access >> to a specific network interface only (tun0). >> >> Are all network interfaces labelled 'automatically' by SELinux with >> 'netif_xx_t' or do I have to label them manually from the policy file? >> If I have to do that manually is it done with the network_interface(...) >> macro? >> >> Also, if I relabel the interface would I have to amend all other >> policies for applications which need access to that interface >> (applications which use the 'generic' naming - netif_t) or is this not >> necessary? >> >> I've seen there is a macro in corenetwork.if.in called >> 'corenet_all_recvfrom_labelled' - is that macro allowing me to receive >> packets from labelled interface? >> >> Thanks in advance! >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux >> > > I just wanted to note that I have had much more difficulty knowing if I > have control over my network devices since the 2.6.30 kernel. Network > control (Internet) is the only reason I use SELinux. If there is new > and improved documentation for the usage of the network controls, I > would greatly appreciate knowing about it. > > -Ken- Did you have a look at this blog?: http://paulmoore.livejournal.com/ And this: http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/ And this: http://james-morris.livejournal.com/11010.html > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
