> example: > > corenet_tcp_sendrecv_lo_if(myapp_t) > corenet_tcp_connect_mysqld_port(myapp_t) > > It means myapp_t can only tcp sendrecv on netif_lo_t. > And it can connect to mysqld tcp ports. > > so: > > It can only connect to mysqld tcp ports using the lo interface because > thats the only interface it can tcp sendrecv. > Yeah, but as part of the same policy I also need to bind to and send/receive tcp packets on the tun0 interface (as I posted before - I need 2 active interfaces)! Where does that go if I have to use the bind statement? Not to mention, that if I need to, say, connect and send/receive packets on the https port on tun0 as part of the same policy - and therefore need to add another 'corenet_tcp_connect_https_port' statement - where would this go and which interface would be 'enabled' this on? Your example above is fine if I only need one interface to connect to and send/receive packets. That is not the case here! >>> >>> >> What do you mean? I thought this is a part of the policy as statements >> from this file are used by a lot of policy modules, or are you saying >> this transforms to something else? >> > > I mean the corenetwork module works a bit different than the common > modules. In that it uses a template to generate interfaces for declared > port types automatically. Thats where it uses the file you were looking > at for. Its not an normal interface file and it should not be used > manually. Theres a script in refpolicy that does it for you. > > All you need to do is declare network object types and build the policy, > then the script will generate the interfaces for you, unlike it does > with most other modules. > Is there a way I could see the 'expanded' version of this as this would be the key for me to use these statements in my policy file - just in case I run out of alternatives? -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
