Is there a way I could specify the context of a 'default' traffic not already matched in my secmarks file in a similar fashion as to how the policy file operates in Shorewall with regards to whether it allows or disallows traffic?
The reason is simple - due to current (and in my view very big) shortcomings in the default SELinux policy once a 'default' traffic (i.e. traffic not owned by a particular SELinux context) is allowed it cannot be disallowed in any way, shape or form! Most of the modules which make out the SELinux policy allow 'unlabelled' traffic (that is traffic which does not have any security context attached to it) or traffic to/from 'unlabelled' node or interfaces (for those interested there is more on this here - http://lists.fedoraproject.org/pipermail/selinux/2010-September/013044.html). The only way I see in which I could stop that is to attach a 'dummy' security context (say 'system_u:object_r_not_labelled_t:s0') to traffic which is not defined/captured by the secmarks file - in a similar fashion how the policy file works in Shorewall. Is that doable? ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
