Sorry, it should restrict not only domain but also port and protocol. So I propose this new syscall to restrict an application by "same-origin" policy: int selinux_restrict_domain(struct sockaddr *ADDR, socklen_t LENGTH); I am not sure that it is the best API specification. Please comment. Note that probably all connections we need are TCP (not UDP), but we can support all protocols for completeness. 09.01.2014, 18:59, "Victor Porton" <porton@xxxxxxxx>: > 09.01.2014, 18:39, "Victor Porton" <porton@xxxxxxxx>: > >> I remind that sandbox is implemented in Fedora using SELinux. >> >> It would be useful to restrict sandboxed application to connect only to one, programmatically specified Internet domain (just like Java and JavaScript security). >> >> It seems it is impossible with current SELinux. >> >> Could you add necessary features? Please! > > You could add a syscall like: > > int selinux_restrict_domain(const char *domain); > > (We could modify this interface to restrict to a finite list of domains instead of one domain, but personally I don't need this.) > > -- > Victor Porton - http://portonvictor.org -- Victor Porton - http://portonvictor.org _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
