node-specific rules
Mr Dash Four
mr.dash.four at googlemail.com
Sun Nov 14 10:33:24 UTC 2010
> I have a bit of a conundrum for the more knowledgeable on here: I
> would like to define a block in the policy file (.te) - via
> tunable_policy statement perhaps - which is executed based on a
> particular value set from outside. For example:
>
> I would like to activate a block of the following statements:
>
> network_node(XXX, s0 - mls_systemhigh, YYY, ZZZ)
> corenet_tcp_sendrecv_XXX_if(my_t)
> corenet_udp_sendrecv_XXX_if(my_t)
> corenet_tcp_sendrecv_XXX_node(my_t)
> corenet_tcp_bind_XXX_node(my_t)
> corenet_udp_bind_XXX_node(my_t)
>
>
> depending on a particular value being set for XXX, YYY and ZZZ (being
> the actual interface name, its IP address and netmask) from the
> outside - possibly via the SELinux tools. Is that possible?
>
> The reason I am doing this is because I am writing a policy for a
> couple of domains/processes and want to restrict their access down to
> a particular node of particular number of interface which will be
> defined (i.e. the interface name, IP address and netmask) AFTER the
> policy has been built and once defined, the values may change. My
> SELinux knowledge is not that complete to figure out how to deal with
> this. Any help is, as always, appreciated. Thanks.
I guess nobody knows or nobody's willing to help then.
More information about the selinux
mailing list