On Thu, 2007-08-30 at 14:21 +0200, [EMAIL PROTECTED] wrote:
> Chris PeBenito <[EMAIL PROTECTED]> a écrit :
> 
> > On Tue, 2007-08-28 at 16:50 +0200, [EMAIL PROTECTED] wrote:
> >> Chris PeBenito <[EMAIL PROTECTED]> a écrit :
> >>
> >> > On Mon, 2007-08-27 at 15:25 +0200, [EMAIL PROTECTED] wrote:
> >> >> I have noticed that per default the salsauthd daemon is allowded to
> >> >> answers to every nodes on the world, as the network rules are
> >> >>       corenet_tcp_sendrecv_all_if(saslauthd_t)
> >> >>       corenet_tcp_sendrecv_all_nodes(saslauthd_t).
> >> >>
> >> >> However, I want to optimize this in order to provide a deeper   
> >> control with
> >> > [...]
> >> >>          corenet_tcp_sendrecv_lo_if(saslauthd_t)
> >> >>          corenet_tcp_sendrecv_all_nodes(saslauthd_t)
> >> >
> >> >
> >> >> The compilation works well but I have a problem at the qmerge step :
> >> >> the lo_netif_t dependance can not be solved. Why is this though
> >> >> internel modules (namely kernel/corenetwork.if) used these macros ?
> >> >
> >> > lo_netif_t is not defined in the policy.  You would have to declare it
> >> > in your local policy and then semanage to label the interface.
> >>
> >> In fact, that's what I tried but I miss a point : what do you mean by
> >> 'label the interface' ?  I try to find any lo interface but nothing.
> >> The same for others interfaces (ethX). I can not find any netif_type
> >> labelled device on my system so I think that I do not really
> >> understand this point.
> >
> > Label the interface means you're giving the device lo the type
> > lo_netif_t.  By default all network interfaces are netif_t, so if you
> > don't explicitly label it, lo will also be netif_t.
> >
> Yes, but the problem was how to label the lo interface (sorry, my  
> previous post was not really clear about that ...)
> 
> I do not have any /dev/lo device so I may have to use netifcon statement.
> But when I try to compile the module (either with checkmodule or  
> make), with for instance
> netifcon lo system_u:object_r:netif_lo_t system_u:object_r:unlabeled_t
> I get
> "netifcon lo system_u:object_r:netif_lo_t system_u:object_r:unlabeled_t
> checkmodule:  error(s) encountered while parsing configuration"
> 
> Is it related to the fact that I don't have a net_contexts file  
> (though all kernel options for SELinux have been used)

Network interfaces don't have entries in /dev.

netifcon statements are not valid in modules.  This is why you have to
use the semanage support that I mentioned above.

-- 
Chris PeBenito
<[EMAIL PROTECTED]>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to