I've never done it but I think you can accomplish what you want by
setting up netfilter rules using iptables to label the incoming packets
from the specific hosts/networks that you wish to allow. Since ip
addresses can be spoofed, it won't be very secure unless you use ipsec.
Josh Brindle wrote a good article on secure networking with SELinux:
bounces(a)redhat.com] On Behalf Of Doug Sikora
Sent: Tuesday, December 09, 2008 6:16 AM
Subject: using selinux to allow only certain hosts or networks
The below rules came from audit2allow,
allow test_t inaddr_any_node_t:tcp_socket node_bind;
allow test_t inaddr_any_node_t:udp_socket node_bind;
Instead of allowing "any_node" I would like to limit this to specific
hosts and or networks.
Does anyone know the syntax for this?
fedora-selinux-list mailing list