On Thu, 2007-08-30 at 14:21 +0200, [EMAIL PROTECTED] wrote: > Chris PeBenito <[EMAIL PROTECTED]> a écrit : > > > On Tue, 2007-08-28 at 16:50 +0200, [EMAIL PROTECTED] wrote: > >> Chris PeBenito <[EMAIL PROTECTED]> a écrit : > >> > >> > On Mon, 2007-08-27 at 15:25 +0200, [EMAIL PROTECTED] wrote: > >> >> I have noticed that per default the salsauthd daemon is allowded to > >> >> answers to every nodes on the world, as the network rules are > >> >> corenet_tcp_sendrecv_all_if(saslauthd_t) > >> >> corenet_tcp_sendrecv_all_nodes(saslauthd_t). > >> >> > >> >> However, I want to optimize this in order to provide a deeper > >> control with > >> > [...] > >> >> corenet_tcp_sendrecv_lo_if(saslauthd_t) > >> >> corenet_tcp_sendrecv_all_nodes(saslauthd_t) > >> > > >> > > >> >> The compilation works well but I have a problem at the qmerge step : > >> >> the lo_netif_t dependance can not be solved. Why is this though > >> >> internel modules (namely kernel/corenetwork.if) used these macros ? > >> > > >> > lo_netif_t is not defined in the policy. You would have to declare it > >> > in your local policy and then semanage to label the interface. > >> > >> In fact, that's what I tried but I miss a point : what do you mean by > >> 'label the interface' ? I try to find any lo interface but nothing. > >> The same for others interfaces (ethX). I can not find any netif_type > >> labelled device on my system so I think that I do not really > >> understand this point. > > > > Label the interface means you're giving the device lo the type > > lo_netif_t. By default all network interfaces are netif_t, so if you > > don't explicitly label it, lo will also be netif_t. > > > Yes, but the problem was how to label the lo interface (sorry, my > previous post was not really clear about that ...) > > I do not have any /dev/lo device so I may have to use netifcon statement. > But when I try to compile the module (either with checkmodule or > make), with for instance > netifcon lo system_u:object_r:netif_lo_t system_u:object_r:unlabeled_t > I get > "netifcon lo system_u:object_r:netif_lo_t system_u:object_r:unlabeled_t > checkmodule: error(s) encountered while parsing configuration" > > Is it related to the fact that I don't have a net_contexts file > (though all kernel options for SELinux have been used)
Network interfaces don't have entries in /dev. netifcon statements are not valid in modules. This is why you have to use the semanage support that I mentioned above. -- Chris PeBenito <[EMAIL PROTECTED]> Developer, Hardened Gentoo Linux Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
signature.asc
Description: This is a digitally signed message part
