Firewall rules using SELinux context (Was Re: RFE: FireKit)
Simo Sorce
ssorce at redhat.com
Fri Jul 24 21:44:03 UTC 2009
On Fri, 2009-07-24 at 16:21 -0500, Bruno Wolff III wrote:
> I thought the idea was to label packets based on source and
> destination
> (including ports) not application. Applications would get access to
> the
> packets based on their context and the context (labels) of the
> packets.
> I may have misunderstood though.
What's the value of labeling packets based on source/destination ports ?
Doesn't seem to add any new information.
If I get a packet for port 8080 it's always going to whatever
application is listen on port 8080, unless you label the packet with an
application context SElinux does not have any more information.
now if you allow to apply application labels to packets then you could
say that packets directed to 8080 are labeled squid_t and not apache_t
and that would make quite a difference.
It would prevent a rogue apache that gets to listen to 8080 to get any
packet as they would be labeled squid_t which is not apache_t.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the devel
mailing list