default deny for uncofined_t using targeted?

[Stephen Smalley]

On Fri, 2005-11-18 at 10:17 -0500, Stephen Smalley wrote:
> On Thu, 2005-11-17 at 18:32 -0500, Steve Brueckner wrote:
> > Can anyone tell me if there is a way to use SELinux under the targeted
> > policy to enforce a default deny rule that prevents all processes from
> > accessing the network?  That is to say, all types including unconfined_t may
> > not access eth0, with just a few excepted types that are allowed to network?
> > I'm trying to lock down a system from the inside without having to deal with
> > the strict policy.
> 
> SELinux denies anything that isn't explicitly allowed, so this is just a
> matter of modifying the policy to not allow such network access in the
> first place, e.g.
> - remove the network-related rules from the
> policy/macros/global_macros.te:unconfined_domain() macro,
> - remove all uses of the network macros from the other .te files except
> where you want to preserve such access, or remove the allow rules from
> the network macros (policy/macros/network_macros.te) and then add them
> back selectively to the desired domains.

BTW, the way to support this more dynamically (without having to adjust
policy sources) would be to first get a patch accepted that introduces a
policy boolean and wraps these network-related rules with a conditional
on that boolean, so that you can just do a setsebool -P allow_network=0
or similar to shut off network access in the base policy, and then add
back network access selectively as desired via your own new policy
files.

-- 
Stephen Smalley
National Security Agency