On April 15, 2011 12:16 , "Christoph A." <casmls@xxxxxxxxx> wrote: > I'd like to redirect traffic (for transparent proxying) coming from a > program running in a sandbox_net_t (or sandbox_web_t) sandbox, but as > far as I've seen there is no possibility to match/mark packets based on > there local security context origin. iptables rules that match packets based on their security contexts is a bad idea for several reasons. For a discussion of these reasons, a list of alternative resources, examples, and a netfilter module that will do what you're asking for if you decide to ignore the reasons why this is bad and do it anyway, see https://github.com/markmont/xt_selinux If at all possible, use the advice Dan already sent: > I am not sure about proxying, but you can force all packets from the > sandbox to go to a proxy server and block them if they tried to go direct. -- Mark Montague mark@xxxxxxxxxxx -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
