-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
For example if you wanted to allow httpd_t to only use eth1, you have a
problem. You need to label all of the devices on your system as
something other then netif_t. And then add a rule like
semanage interface -a -t public_t eth0
semanage interface -a -t private_t eth1
allow { domain -httpd_t } public_t:netif *;
allow httpd_t private_t:netif *;
If you wanted all other processes to also use eth0, you would add
allow domain private_t:netif *;
Now ignoring the fact that I used domain instead of some attribute to
indicate all domains that use the network.
Even if I did the code above, if a new interface showed up later httpd_t
would be allowed to use it since it can use netif_t, which is the
default for all interfaces.
The problem is I can not change the default.
semanage interface -a -t public_t *
For example would not work, I don't think.
I guess I can do something hackly like I am with unlabelednet.pp and
just put all of the netif rules into a module that I can disable, but I
wanted to know if anyone has a better way.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2BHnoACgkQrlYvE4MpobP3TwCdHqFajpxDmoGlf7IsjvZdESsj
aywAoKLuY8SfVBCM7g2SV5gS1Y97rtUy
=5R0X
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
