On Fri, 2009-07-24 at 15:47 -0400, Casey Dahlin wrote: > A couple of mentions of SELinux have cropped up in the FireKit thread, which > got me thinking about the Firewall and SELinux and ways in which they are > similar. I had the following thought: > > SELinux already has a lot of policy information from which we might like to > determine whether ports should be open to a particular program. The simplest > mechanism I can see for doing that is to allow SELinux context to be > referenced in the firewall rules. This prevents either system from having to > be grotesquely modified. > > An example rule might look like this: > > -A INPUT -Z apache_t -j ACCEPT > > Here we tell the firewall to allow incoming traffic that will be intercepted > in userspace by a process in the apache_t context. > > This does break in at least one way from traditional SELinux policy: > something external to SELinux is interpreting the meaning of the context. The > firewall rules can change while the actual SELinux policy stays put. I don't > know how serious a problem that is (if it is one). > > Thoughts?
SECMARK already allows you to label packets using iptables and then use SELinux policy to control sending or receiving them. http://paulmoore.livejournal.com/4281.html There are also the name_connect and name_bind controls that regulate the ability to connect or bind to specific ports via policy. -- Stephen Smalley National Security Agency -- fedora-devel-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-devel-list
