On 01/09/2014 11:37 AM, Victor Porton wrote: > I remind that sandbox is implemented in Fedora using SELinux. > > It would be useful to restrict sandboxed application to connect only to one, programmatically specified Internet domain (just like Java and JavaScript security). > > It seems it is impossible with current SELinux. > > Could you add necessary features? Please! I'm not aware of any missing kernel features required to support your functionality. I think all you are missing is two userspace components: a library that provides whatever interface you design, and a daemon that receives the specification in whatever form you design and turns it into a set of SELinux and iptables SECMARK/CONNSECMARK rules to label the packets so that SELinux can mediate them accordingly, and loads that into the kernel for enforcement. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
