iptables match based on source security context?
Mark Montague
mark at catseye.org
Fri Apr 15 16:38:29 UTC 2011
On April 15, 2011 12:16 , "Christoph A." <casmls at gmail.com> wrote:
> I'd like to redirect traffic (for transparent proxying) coming from a
> program running in a sandbox_net_t (or sandbox_web_t) sandbox, but as
> far as I've seen there is no possibility to match/mark packets based on
> there local security context origin.
iptables rules that match packets based on their security contexts is a
bad idea for several reasons. For a discussion of these reasons, a list
of alternative resources, examples, and a netfilter module that will do
what you're asking for if you decide to ignore the reasons why this is
bad and do it anyway, see https://github.com/markmont/xt_selinux
If at all possible, use the advice Dan already sent:
> I am not sure about proxying, but you can force all packets from the
> sandbox to go to a proxy server and block them if they tried to go direct.
--
Mark Montague
mark at catseye.org
More information about the selinux
mailing list