default deny for uncofined_t using targeted?
Stephen Smalley
sds at tycho.nsa.gov
Fri Nov 18 15:17:41 UTC 2005
On Thu, 2005-11-17 at 18:32 -0500, Steve Brueckner wrote:
> Can anyone tell me if there is a way to use SELinux under the targeted
> policy to enforce a default deny rule that prevents all processes from
> accessing the network? That is to say, all types including unconfined_t may
> not access eth0, with just a few excepted types that are allowed to network?
> I'm trying to lock down a system from the inside without having to deal with
> the strict policy.
SELinux denies anything that isn't explicitly allowed, so this is just a
matter of modifying the policy to not allow such network access in the
first place, e.g.
- remove the network-related rules from the
policy/macros/global_macros.te:unconfined_domain() macro,
- remove all uses of the network macros from the other .te files except
where you want to preserve such access, or remove the allow rules from
the network macros (policy/macros/network_macros.te) and then add them
back selectively to the desired domains.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list