netif labelling

[Mantaray]

Mr Dash Four wrote:
> I am trying to restrict an application I have installed to have access
> to a specific network interface only (tun0).
>
> Are all network interfaces labelled 'automatically' by SELinux with
> 'netif_xx_t' or do I have to label them manually from the policy file?
> If I have to do that manually is it done with the network_interface(...)
> macro?
>
> Also, if I relabel the interface would I have to amend all other
> policies for applications which need access to that interface
> (applications which use the 'generic' naming - netif_t) or is this not
> necessary?
>
> I've seen there is a macro in corenetwork.if.in called
> 'corenet_all_recvfrom_labelled' - is that macro allowing me to receive
> packets from labelled interface?
>
> Thanks in advance!
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>

I just wanted to note that I have had much more difficulty knowing if I 
have control over my network devices since the 2.6.30 kernel.  Network 
control (Internet) is the only reason I use SELinux.  If there is new 
and improved documentation for the usage of the network controls, I 
would greatly appreciate knowing about it.

-Ken-