Okay.

Sorry for not having seen the semanage tip ...

semanage interface -a -t lo_netif_t lo works perfectly.
(After having declared lo_netif_t with

type lo_netif_t;
typeattribute lo_netif_t netif_type;
<<
)

Thanks.


Chris PeBenito <[EMAIL PROTECTED]> a écrit :

On Thu, 2007-08-30 at 14:21 +0200, [EMAIL PROTECTED] wrote:
Chris PeBenito <[EMAIL PROTECTED]> a écrit :

> On Tue, 2007-08-28 at 16:50 +0200, [EMAIL PROTECTED] wrote:
>> Chris PeBenito <[EMAIL PROTECTED]> a écrit :
>>
>> > On Mon, 2007-08-27 at 15:25 +0200, [EMAIL PROTECTED] wrote:
>> >> I have noticed that per default the salsauthd daemon is allowded to
>> >> answers to every nodes on the world, as the network rules are
>> >>       corenet_tcp_sendrecv_all_if(saslauthd_t)
>> >>       corenet_tcp_sendrecv_all_nodes(saslauthd_t).
>> >>
>> >> However, I want to optimize this in order to provide a deeper
>> control with
>> > [...]
>> >>          corenet_tcp_sendrecv_lo_if(saslauthd_t)
>> >>          corenet_tcp_sendrecv_all_nodes(saslauthd_t)
>> >
>> >
>> >> The compilation works well but I have a problem at the qmerge step :
>> >> the lo_netif_t dependance can not be solved. Why is this though
>> >> internel modules (namely kernel/corenetwork.if) used these macros ?
>> >
>> > lo_netif_t is not defined in the policy.  You would have to declare it
>> > in your local policy and then semanage to label the interface.
>>
>> In fact, that's what I tried but I miss a point : what do you mean by
>> 'label the interface' ?  I try to find any lo interface but nothing.
>> The same for others interfaces (ethX). I can not find any netif_type
>> labelled device on my system so I think that I do not really
>> understand this point.
>
> Label the interface means you're giving the device lo the type
> lo_netif_t.  By default all network interfaces are netif_t, so if you
> don't explicitly label it, lo will also be netif_t.
>
Yes, but the problem was how to label the lo interface (sorry, my
previous post was not really clear about that ...)

I do not have any /dev/lo device so I may have to use netifcon statement.
But when I try to compile the module (either with checkmodule or
make), with for instance
netifcon lo system_u:object_r:netif_lo_t system_u:object_r:unlabeled_t
I get
"netifcon lo system_u:object_r:netif_lo_t system_u:object_r:unlabeled_t
checkmodule:  error(s) encountered while parsing configuration"

Is it related to the fact that I don't have a net_contexts file
(though all kernel options for SELinux have been used)

Network interfaces don't have entries in /dev.

netifcon statements are not valid in modules.  This is why you have to
use the semanage support that I mentioned above.

--
Chris PeBenito
<[EMAIL PROTECTED]>
Developer,
Hardened Gentoo Linux

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243




--
[EMAIL PROTECTED] mailing list

Reply via email to