I have a bit of a conundrum for the more knowledgeable on here: I would like to define a block in the policy file (.te) - via tunable_policy statement perhaps - which is executed based on a particular value set from outside. For example: I would like to activate a block of the following statements: network_node(XXX, s0 - mls_systemhigh, YYY, ZZZ) corenet_tcp_sendrecv_XXX_if(my_t) corenet_udp_sendrecv_XXX_if(my_t) corenet_tcp_sendrecv_XXX_node(my_t) corenet_tcp_bind_XXX_node(my_t) corenet_udp_bind_XXX_node(my_t) depending on a particular value being set for XXX, YYY and ZZZ (being the actual interface name, its IP address and netmask) from the outside - possibly via the SELinux tools. Is that possible? The reason I am doing this is because I am writing a policy for a couple of domains/processes and want to restrict their access down to a particular node of particular number of interface which will be defined (i.e. the interface name, IP address and netmask) AFTER the policy has been built and once defined, the values may change. My SELinux knowledge is not that complete to figure out how to deal with this. Any help is, as always, appreciated. Thanks. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
