I have a bit of a conundrum for the more knowledgeable on here: I
would like to define a block in the policy file (.te) - via
tunable_policy statement perhaps - which is executed based on a
particular value set from outside. For example:
I would like to activate a block of the following statements:
network_node(XXX, s0 - mls_systemhigh, YYY, ZZZ)
corenet_tcp_sendrecv_XXX_if(my_t)
corenet_udp_sendrecv_XXX_if(my_t)
corenet_tcp_sendrecv_XXX_node(my_t)
corenet_tcp_bind_XXX_node(my_t)
corenet_udp_bind_XXX_node(my_t)
depending on a particular value being set for XXX, YYY and ZZZ (being
the actual interface name, its IP address and netmask) from the
outside - possibly via the SELinux tools. Is that possible?
The reason I am doing this is because I am writing a policy for a
couple of domains/processes and want to restrict their access down to
a particular node of particular number of interface which will be
defined (i.e. the interface name, IP address and netmask) AFTER the
policy has been built and once defined, the values may change. My
SELinux knowledge is not that complete to figure out how to deal with
this. Any help is, as always, appreciated. Thanks.
I guess nobody knows or nobody's willing to help then.