> I just wanted to note that I have had much more difficulty knowing if I > have control over my network devices since the 2.6.30 kernel. Network > control (Internet) is the only reason I use SELinux. I agree completely! One thing I find really frustrating is working/defining ports and assigning different types to these ports. For example: In the targeted policy there is a line in corenetwork.te.in which defines tor ports as 9001, 9090, 9091, 9050 and 9051. All this is classified as tor_port_t type. Most applications utilising tor (like Privoxy for example) only need to have access to the 9050 (and, may be, 9051) tor port and not the rest, but as things stand this is impossible to achieve as the above group of ports are lumbered together having the same type. This, of course, presents a security loophole for applications to exploit. The above example is not unique to tor - I experienced very similar scenario when dealing with pop/smtp/imap ports - they are all packed together as one type - very inflexible. So, in order to avoid this I had 2 choices: redefine the targeted policy and alter the corenetwork.te.in file appropriately, or, find another way of defining these ports and fine tune my custom policy to suit. Since I hit the wall with the latter (I posted a thread on here and got zero responses!) I was left with no choice, but to redefine the targeted policy and, in the above example, split the tor port classification in 4 groups (as they should be!): tor_or - port 9001 (used internally by tor) tor_dir - ports 9090, 9091 (tor directory/bridge connections are done here) tor_proxy - port 9050 (most applications utilising tor use this port) tor_ctl - port 9051 (tor control port, used for controlling tor by other applications - like Vitalia for example) > If there is new and improved documentation for the usage of the network controls, I > would greatly appreciate knowing about it. > I second that! Searching for sources of good information to resolve the above issues proved very frustrating indeed! -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
