Fedora 14, httpd is working correctly, however the httpd_can_network_connect boolean grants more access than I want. I'd like httpd to be able to open connections on any port, but only via a specific network interface (lo0) and no others (eth0, etc.), while still accepting HTTP connections on all interfaces. I've set up iptables to label all packets in and out of the loopback interface: iptables -t mangle -A INPUT -i lo -j SECMARK --selctx system_u:object_r:loopback_packet_t:s0 iptables -t mangle -A OUTPUT -o lo -j SECMARK --selctx system_u:object_r:loopback_packet_t:s0 and have permitted httpd to send and receive these: allow httpd_t loopback_packet_t:packet { send recv }; allow httpd_sys_script_t loopback_packet_t:packet { send recv }; But the problem is that this does not permit httpd to connect: type=AVC msg=audit(1299866424.466:17033): avc: denied { name_connect } for pid=28402 comm="test-script" dest=9000 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket Adding the following TE rule of course permits httpd to connect via any interface (equivalent to turning on httpd_can_network_connect): allow httpd_sys_script_t http_port_t:tcp_socket name_connect; What am I missing? Any suggestions? I've searched the web but haven't found anything. Thanks in advance for any help. -- Mark Montague mark(a)catseye.org