On 04/15/2011 06:38 PM, Mark Montague wrote: > On April 15, 2011 12:16 , "Christoph A." <casmls@xxxxxxxxx> wrote: >> I'd like to redirect traffic (for transparent proxying) coming from a >> program running in a sandbox_net_t (or sandbox_web_t) sandbox, but as >> far as I've seen there is no possibility to match/mark packets based on >> there local security context origin. > > iptables rules that match packets based on their security contexts is a > bad idea for several reasons. For a discussion of these reasons, a list > of alternative resources, examples, and a netfilter module that will do > what you're asking for if you decide to ignore the reasons why this is > bad and do it anyway, see https://github.com/markmont/xt_selinux Thanks for the URL. I'll use xt_selinux only if there is no other way. > If at all possible, use the advice Dan already sent: >> I am not sure about proxying, but you can force all packets from the >> sandbox to go to a proxy server and block them if they tried to go >> direct. How would I force the redirect without xt_selinux? The rule would look like this: iptables -t nat -A OUTPUT [-needed match criteria-] -j REDIRECT --to-ports 12345 the only missing part is the match criteria. (by "redirect traffic" I meant '-j REDIRECT')
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
