On Mon, Aug 25, 2014 at 03:11:03PM +0400, Stepan G. Fedorov wrote: > Hello! > > Goal of this experiment is to see allow rules for netif class objects is > working. > > I use debian wheezy whith MLS selinux policy, in enforced mode. > > eth0 is hte only netwotk interface, except lo. > > sesearch --allow -cnetif shows lots of allow rules for netif_t target type / > netif target class. > > I do: > 1) I add new type nginx_http_if_t with my own policy module; > 2) semanage interface -a -t nginx_http_if_t -r s1:c0.c1023 eth0. > > I expect: to see all the processes in system unable to read/write packets > from eth0 interface. > > I actually got: nothing changes - all networking is working as it was before > changing of interface context. > > > What am I doing/understanding wrong? I suspect that these controls may be legacy (net_compat?) I may be wrong > > Thank you! > > -- > Stepan G. Fedorov <StFedorov@xxxxxxxxx> > Tel: +7-965-750-91-91 > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. -- http://subkeys.pgp.net:11371/pks/lookup?search=0x02DFF788&op=index Dominick Grift
Attachment:
pgpNceprYCYHY.pgp
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
