Firewall rules using SELinux context (Was Re: RFE: FireKit)
Simo Sorce
ssorce at redhat.com
Fri Jul 24 22:08:55 UTC 2009
On Fri, 2009-07-24 at 17:44 -0400, Simo Sorce wrote:
> On Fri, 2009-07-24 at 16:21 -0500, Bruno Wolff III wrote:
> > I thought the idea was to label packets based on source and
> > destination
> > (including ports) not application. Applications would get access to
> > the
> > packets based on their context and the context (labels) of the
> > packets.
> > I may have misunderstood though.
>
> What's the value of labeling packets based on source/destination ports ?
> Doesn't seem to add any new information.
>
> If I get a packet for port 8080 it's always going to whatever
> application is listen on port 8080, unless you label the packet with an
> application context SElinux does not have any more information.
>
> now if you allow to apply application labels to packets then you could
> say that packets directed to 8080 are labeled squid_t and not apache_t
> and that would make quite a difference.
>
> It would prevent a rogue apache that gets to listen to 8080 to get any
> packet as they would be labeled squid_t which is not apache_t.
Sorry Bruno,
after re-readying what you said I think we meant basically the same
thing.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the devel
mailing list