> On Aug 11, 2016, at 10:31 AM, Colin Powers <Colin.Powers@xxxxxxxxx> wrote: > > Hi folks, > > I have a question about the way network communications of mounted filesystems works with SELinux. I wonder if anyone could provide some insight or a link to somewhere with more information. Look at section 2.21 of http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf. They cover the possibilities. > > So let's say I have a RHEL6 machine with two network interfaces and I want to be very selective about which process can access which network interface. > > I can use iptables SECMARK to label all traffic on eth0 as my_eth0_packet_t and all traffic on eth1 as my_eth1_packet_t, then grant send/recv permissions appropriately. > > But let's say I want to be able to mount CIFS shares only using eth0. Does iptables SECMARK work in this scenario? > If so, what process is actually doing the network communications - what SELinux type do I need to grant permission to send/recv my_eth0_packet_t? > If not - how does the network comms work in this scenario and what are the options to achieve my goal of limiting traffic to eth0? > > Cheers > Colin Powers > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
