|Main Archive Page > Month Archives > fedora-selinux archives|
> i would probably use s0 - mls_systemhigh if possible for compatibility
> with mls policy
>> Also, as part of the policy I wish to enable/restrict the program to
>> connect on mysqld port, but ONLY on the local (lo) interface and then
>> listen/bind on a predefined port but on the tun0 interface. How do I do
>> that? There are 2 relevant macros in corenetwork.te.m4 for this:
> those are unrelated to netif related policy.
> Basically when you declare a netif type there are probably interface
> create that provide access to your network interface type. That is what
> governs whether your app can or cannot use it. If your app cannot use a
> network interface, then it cannot use it to connect to mysqld.
You've lost me here.
In my policy I would need to do the following: 1) allow access to
lo:mysqld, BUT restrict access to tun0:mysqld; and 2) allow bind on
tun0:voip_sandbox, BUT restrict access to lo:voip_sandbox if such
attempts are made.
In other words, both lo and tun0 as interfaces should be allowed (and
properly labelled) - I presume with network_interface(..) - as mentioned
in my previous post (every other access to another interface, if exist,
should be restricted), though different ports should be enabled for
different network interfaces.
The point I made above is that corenet_tcp_bind_$1_port and
corenet_tcp_connect_$1 do not allow me to specify on which interface I
need this to be allowed!
If I am able to decipher this macro I will certainly be able to create a
group of statements for the 2 different interfaces, but as it stands I
seem to be able to define voip_sandbox port binding on ANY interface as
well as connecting to mysqld port also on ANY interface, which is not
what I want.
> The $1_$2 is probably some hack to make it work. its just the single
> parameter $3 (domain)
Is there any way I could 'expand' these statements and see what this
really is made of?
>> If I manage to 'decipher' these I may restrict the above statements to
>> the proper net device type if there is no suitable other macro found,
>> but as it stands I am a bit stuck!
> Like i said above the rule has nothing to do with network interfaces. It
> governs access for specified domain to connect to tcp ports.
Which is not what I need really as I would like to specify/govern access
for specific domain to connect/bind to tcp ports on specific interface!
> Also you've taken the above interface block from the template file. This
> file is used to automatically generate interfaces for declared port types.
What do you mean? I thought this is a part of the policy as statements
from this file are used by a lot of policy modules, or are you saying
this transforms to something else?
-- selinux mailing list email@example.com https://admin.fedoraproject.org/mailman/listinfo/selinux