Firewall rules using SELinux context (Was Re: RFE: FireKit)
Roland McGrath
roland at redhat.com
Fri Jul 24 21:49:08 UTC 2009
So I think most of us in this discussion probably don't actually understand
SECMARK. I sure didn't. I think I might now, sort of. The SELinux policy
just says contexts, and it doesn't say anything about the port numbers.
The point of SECMARK is that you write port-matching rules that are what
sets the context on those packets. You have to write those rules by hand
(or somehow) or else there just aren't ever any packets anywhere that are
marked with the right context so they match the SELinux policy for what the
given daemon is allowed to see.
So I think what one really wants is just a better level of admin/packaging
coordination. That is, you would really like to write in one place both
the SELinux policy and the port numbers (i.e. iptables matching rules) you
want to associate with contexts. Then you want that to generate iptables
rules that both allow packets and mark them, and you want those sets of
rules to come along the daemon's installation or something like that such
that it is easy to say "enable this daemon" and get correct iptables rules
configured on your system.
All that said, I probably still missed some major point about how SECMARK
actually works. I have no idea.
Thanks,
Roland
More information about the devel
mailing list