> I think you indeed have to declare new network interface types if you > want to differentiate between the various network interfaces in targeted > policy using network_interface() > > The, i think you would have to manually label the interfaces using > semanage i think. or maybe the network_interfaces() interface takes care > of labelling. Not sure > There is a good example at the very end of corenetwork.te.in, which 'redefines' the 'lo' network interface using the network_interfaces() macro. If I have to use a specific labelling I think I could follow that example (I wasn't sure if 'automatic' relabelling wasn't already done in some other obscure place in the targeted policy, hence my initial query). > By default most domains are allowed to use any network interface. The > have access to the netif_type network interface attribute that is > assigned to all network interface types (probably via network_interface() > As I understand it (again, by looking at the corenetwork files) specific netif labelling, when defined, is used as an alias of netif_t, which grants access to all applications using the 'generic' type. If that is so and I am correct with that assumption all I need to do is define an alias for a specific net device (as shown in the corenetwork files) - say netif_tun0_t - and use this type in my custom policy to grant access to this device only. All other applications in the policy utilising the generic type (netif_t) should not be affected as the netif_xx_t is an alias of netif_t. At least that is my understanding of it. > That , i think, probably means that you would have to replace the rules > allowing the domain to use all network interfaces by rules that govern > more specific access to the various network interface types. > Not if, as is in my case, I am building a new policy, from scratch, for an application which needs access to a specific interface only (tun0) - if all of my assumptions in this post are true, of course. > You can probably test this by auditing grants. > > auditallow domain netif_type:netif *; or something along those lines. > > try it i would say. > That is pretty useful! I'll give it a go! -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
