Firewall rules using SELinux context (Was Re: RFE: FireKit)

Simo Sorce ssorce at redhat.com
Fri Jul 24 22:08:55 UTC 2009


On Fri, 2009-07-24 at 17:44 -0400, Simo Sorce wrote:
> On Fri, 2009-07-24 at 16:21 -0500, Bruno Wolff III wrote:
> > I thought the idea was to label packets based on source and
> > destination
> > (including ports) not application. Applications would get access to
> > the
> > packets based on their context and the context (labels) of the
> > packets.
> > I may have misunderstood though.
> 
> What's the value of labeling packets based on source/destination ports ?
> Doesn't seem to add any new information.
> 
> If I get a packet for port 8080 it's always going to whatever
> application is listen on port 8080, unless you label the packet with an
> application context SElinux does not have any more information.
> 
> now if you allow to apply application labels to packets then you could
> say that packets directed to 8080 are labeled squid_t and not apache_t
> and that would make quite a difference.
> 
> It would prevent a rogue apache that gets to listen to 8080 to get any
> packet as they would be labeled squid_t which is not apache_t.

Sorry Bruno,
after re-readying what you said I think we meant basically the same
thing.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the devel mailing list