On 09/23/2010 09:22 AM, Mr Dash Four wrote: > Is there a way I could specify the context of a 'default' traffic not > already matched in my secmarks file in a similar fashion as to how the > policy file operates in Shorewall with regards to whether it allows or > disallows traffic? > > The reason is simple - due to current (and in my view very big) > shortcomings in the default SELinux policy once a 'default' traffic > (i.e. traffic not owned by a particular SELinux context) is allowed it > cannot be disallowed in any way, shape or form! > > Most of the modules which make out the SELinux policy allow 'unlabelled' > traffic (that is traffic which does not have any security context > attached to it) or traffic to/from 'unlabelled' node or interfaces (for > those interested there is more on this here - > http://lists.fedoraproject.org/pipermail/selinux/2010-September/013044.html). > > The only way I see in which I could stop that is to attach a 'dummy' > security context (say 'system_u:object_r_not_labelled_t:s0') to traffic > which is not defined/captured by the secmarks file - in a similar > fashion how the policy file works in Shorewall. > > Is that doable?
That doesn't need Shorewall support -- just set that context first for NEW connections then override it for specific applications. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
