node-specific rules
Mr Dash Four
mr.dash.four at googlemail.com
Thu Nov 11 14:57:47 UTC 2010
I have a bit of a conundrum for the more knowledgeable on here: I would
like to define a block in the policy file (.te) - via tunable_policy
statement perhaps - which is executed based on a particular value set
from outside. For example:
I would like to activate a block of the following statements:
network_node(XXX, s0 - mls_systemhigh, YYY, ZZZ)
corenet_tcp_sendrecv_XXX_if(my_t)
corenet_udp_sendrecv_XXX_if(my_t)
corenet_tcp_sendrecv_XXX_node(my_t)
corenet_tcp_bind_XXX_node(my_t)
corenet_udp_bind_XXX_node(my_t)
depending on a particular value being set for XXX, YYY and ZZZ (being
the actual interface name, its IP address and netmask) from the outside
- possibly via the SELinux tools. Is that possible?
The reason I am doing this is because I am writing a policy for a couple
of domains/processes and want to restrict their access down to a
particular node of particular number of interface which will be defined
(i.e. the interface name, IP address and netmask) AFTER the policy has
been built and once defined, the values may change. My SELinux knowledge
is not that complete to figure out how to deal with this. Any help is,
as always, appreciated. Thanks.
More information about the selinux
mailing list