On 08/29/2010 08:38 PM, Mr Dash Four wrote: > >> example: >> >> corenet_tcp_sendrecv_lo_if(myapp_t) >> corenet_tcp_connect_mysqld_port(myapp_t) >> >> It means myapp_t can only tcp sendrecv on netif_lo_t. >> And it can connect to mysqld tcp ports. >> >> so: >> >> It can only connect to mysqld tcp ports using the lo interface because >> thats the only interface it can tcp sendrecv. >> > Yeah, but as part of the same policy I also need to bind to and > send/receive tcp packets on the tun0 interface (as I posted before - I > need 2 active interfaces)! Where does that go if I have to use the bind > statement? So you would additionally add: corenet_tcp_sendrecv_tun0_if(myapp_t) corenet_tcp_bind_mysqld_port(myapp_t) That would allow myapp_t to also tcp sendrecv tun0 network interface. and it would allow myapp_t to bind tcp sockets to mysqld ports. But i think i see where this is going: Because now myapp_t can also connect to mysqld ports via the tun0 network interface. Something you probably wanted to prevent. Additionally now myapp_t can also listen on the lo network interface. Also something you probably wanted to prevent. I am not sure how to best deal with this problem. > Not to mention, that if I need to, say, connect and send/receive packets > on the https port on tun0 as part of the same policy - and therefore > need to add another 'corenet_tcp_connect_https_port' statement - where > would this go and which interface would be 'enabled' this on? > Your example above is fine if I only need one interface to connect to > and send/receive packets. That is not the case here! Good question that i cannot answer. > >>>> >>> What do you mean? I thought this is a part of the policy as statements >>> from this file are used by a lot of policy modules, or are you saying >>> this transforms to something else? >>> >> >> I mean the corenetwork module works a bit different than the common >> modules. In that it uses a template to generate interfaces for declared >> port types automatically. Thats where it uses the file you were looking >> at for. Its not an normal interface file and it should not be used >> manually. Theres a script in refpolicy that does it for you. >> >> All you need to do is declare network object types and build the policy, >> then the script will generate the interfaces for you, unlike it does >> with most other modules. >> > Is there a way I could see the 'expanded' version of this as this would > be the key for me to use these statements in my policy file - just in > case I run out of alternatives? get refpolicy and build it. if will generate a corenetwork.if file.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux