Could you just do this with normal iptables rules? Optionally using labeled networking to label packets coming in. On Thu, Jan 9, 2014 at 8:59 AM, Victor Porton <porton@xxxxxxxx> wrote: > 09.01.2014, 18:39, "Victor Porton" <porton@xxxxxxxx>: >> I remind that sandbox is implemented in Fedora using SELinux. >> >> It would be useful to restrict sandboxed application to connect only to one, programmatically specified Internet domain (just like Java and JavaScript security). >> >> It seems it is impossible with current SELinux. >> >> Could you add necessary features? Please! > > You could add a syscall like: > > int selinux_restrict_domain(const char *domain); > > (We could modify this interface to restrict to a finite list of domains instead of one domain, but personally I don't need this.) > > -- > Victor Porton - http://portonvictor.org > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. -- Respectfully, William C Roberts _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
