---------- Forwarded message ----------
From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
Date: Fri, Jan 17, 2014 at 12:52 AM
Subject: Re: SELINUX language suggestion for future goals
To: Nainesh Patel <nainesh@xxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/16/2014 01:52 AM, Nainesh Patel wrote:
> Respected Sir,
>
> Currently, CIL (commom intemediate language) is being developed by tresys
> for the purpose of simplification and addition of features that are not
> possible in current macrolanguage for policy generation.
>
> My question is that, can we add a feature in the CIL language that it
> allows generation of rules based on the IP address of source and/or
> destination ?
>
> for example:
>
> Node A : IP address 1.1.1.1
>
> Node B : IP address 2.2.2.2
>
> GOAL : policy on Node A can be made to reflect that, any request from Node
> B to httpd_t object on Node A can not be accessed.
>
> Which means that we can define the IP based rules for the other hostson
> network, this can create a new domain which can make operating system more
> secure.
>
> Waiting for your reply.
>
> Thanks
>
> -------- Nainesh Patel
I am no CIL expert, but you could do this type of thing now using labeled
secmark. This type of question should go to the SELinux
<selinux@xxxxxxxxxxxxx> mail list.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLYMWwACgkQrlYvE4MpobPuGACghuCXvySI0Pb5IkYI5FAz+ewd
HoUAoNWTL0FrIJ4cN0vVrMdX6gxyy6QZ
=He9R
-----END PGP SIGNATURE-----
From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
Date: Fri, Jan 17, 2014 at 12:52 AM
Subject: Re: SELINUX language suggestion for future goals
To: Nainesh Patel <nainesh@xxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/16/2014 01:52 AM, Nainesh Patel wrote:
> Respected Sir,
>
> Currently, CIL (commom intemediate language) is being developed by tresys
> for the purpose of simplification and addition of features that are not
> possible in current macrolanguage for policy generation.
>
> My question is that, can we add a feature in the CIL language that it
> allows generation of rules based on the IP address of source and/or
> destination ?
>
> for example:
>
> Node A : IP address 1.1.1.1
>
> Node B : IP address 2.2.2.2
>
> GOAL : policy on Node A can be made to reflect that, any request from Node
> B to httpd_t object on Node A can not be accessed.
>
> Which means that we can define the IP based rules for the other hostson
> network, this can create a new domain which can make operating system more
> secure.
>
> Waiting for your reply.
>
> Thanks
>
> -------- Nainesh Patel
I am no CIL expert, but you could do this type of thing now using labeled
secmark. This type of question should go to the SELinux
<selinux@xxxxxxxxxxxxx> mail list.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLYMWwACgkQrlYvE4MpobPuGACghuCXvySI0Pb5IkYI5FAz+ewd
HoUAoNWTL0FrIJ4cN0vVrMdX6gxyy6QZ
=He9R
-----END PGP SIGNATURE-----
--
Nainesh Patel
Department of Computer Engineering
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
