netif labelling

[Mr Dash Four]

> example:
>
> corenet_tcp_sendrecv_lo_if(myapp_t)
> corenet_tcp_connect_mysqld_port(myapp_t)
>
> It means myapp_t can only tcp sendrecv on netif_lo_t.
> And it can connect to mysqld tcp ports.
>
> so:
>
> It can only connect to mysqld tcp ports using the lo interface because
> thats the only interface it can tcp sendrecv.
>   
Yeah, but as part of the same policy I also need to bind to and 
send/receive tcp packets on the tun0 interface (as I posted before - I 
need 2 active interfaces)! Where does that go if I have to use the bind 
statement?

Not to mention, that if I need to, say, connect and send/receive packets 
on the https port on tun0 as part of the same policy - and therefore 
need to add another 'corenet_tcp_connect_https_port' statement - where 
would this go and which interface would be 'enabled' this on?

Your example above is fine if I only need one interface to connect to 
and send/receive packets. That is not the case here!

>>>   
>>>       
>> What do you mean? I thought this is a part of the policy as statements
>> from this file are used by a lot of policy modules, or are you saying
>> this transforms to something else?
>>     
>
> I mean the corenetwork module works a bit different than the common
> modules. In that it uses a template to generate interfaces for declared
> port types automatically. Thats where it uses the file you were looking
> at for. Its not an normal interface file and it should not be used
> manually. Theres a script in refpolicy that does it for you.
>
> All you need to do is declare network object types and build the policy,
> then the script will generate the interfaces for you, unlike it does
> with most other modules.
>   
Is there a way I could see the 'expanded' version of this as this would 
be the key for me to use these statements in my policy file - just in 
case I run out of alternatives?