default deny for uncofined_t using targeted?
Paul Howarth
paul at city-fan.org
Fri Nov 18 15:17:11 UTC 2005
Stephen Smalley wrote:
> On Thu, 2005-11-17 at 18:32 -0500, Steve Brueckner wrote:
>
>>Can anyone tell me if there is a way to use SELinux under the targeted
>>policy to enforce a default deny rule that prevents all processes from
>>accessing the network? That is to say, all types including unconfined_t may
>>not access eth0, with just a few excepted types that are allowed to network?
>>I'm trying to lock down a system from the inside without having to deal with
>>the strict policy.
>
>
> SELinux denies anything that isn't explicitly allowed, so this is just a
> matter of modifying the policy to not allow such network access in the
> first place, e.g.
> - remove the network-related rules from the
> policy/macros/global_macros.te:unconfined_domain() macro,
> - remove all uses of the network macros from the other .te files except
> where you want to preserve such access, or remove the allow rules from
> the network macros (policy/macros/network_macros.te) and then add them
> back selectively to the desired domains.
Won't that kill all network access, including via localhost, rather than
just eth0 access?
Paul.
More information about the fedora-selinux-list
mailing list