Firewall rules using SELinux context (Was Re: RFE: FireKit)

[Casey Dahlin]

A couple of mentions of SELinux have cropped up in the FireKit thread, which got me thinking about the Firewall and SELinux and ways in which they are similar. I had the following thought:

SELinux already has a lot of policy information from which we might like to determine whether ports should be open to a particular program. The simplest mechanism I can see for doing that is to allow SELinux context to be referenced in the firewall rules. This prevents either system from having to be grotesquely modified.

An example rule might look like this:

-A INPUT -Z apache_t -j ACCEPT

Here we tell the firewall to allow incoming traffic that will be intercepted in userspace by a process in the apache_t context.

This does break in at least one way from traditional SELinux policy: something external to SELinux is interpreting the meaning of the context. The firewall rules can change while the actual SELinux policy stays put. I don't know how serious a problem that is (if it is one).

Thoughts?

--CJD