Custom labeling network interfaces
Roberto Sassu
myrobmail at gmail.com
Sat Sep 26 15:15:36 UTC 2009
Hi all
i want to create a set of rules that allow the administrator to decide the
network interfaces on which daemons can listen to.
To do this i created a custom policy module to define the type eth0_netif_t
which is bound to the eth0 interface.
type eth0_netif_t, netif_type;
typeattribute eth0_netif_t netif_type;
ifdef(`enable_mls',`
gen_require(`type unlabeled_t;')
netifcon eth0 gen_context(system_u:object_r:eth0_netif_t,s0 - mls_systemhigh)
gen_context(system_u:object_r:unlabeled_t,s0 - mls_systemhigh)
')
Next, i executed the following command:
semanage interface -a -t eth0_netif_t eth0
Then, without adding extra rules i tried to start the sshd daemon on this
interface and the operation was successful. I see with the apol utility that
sshd is allowed to bind on the generic interface netif_t but not on
eth0_netif_t.
How it's possible to explicitly grant the permission to listen on eth0 for
each daemon which needs it?
Thanks in advance for replies.
More information about the fedora-selinux-list
mailing list