Adding local nodecons
Stephen Smalley
sds at tycho.nsa.gov
Wed Jul 2 14:39:54 UTC 2008
On Wed, 2008-07-02 at 16:32 +0200, Christian Kuester wrote:
> Stephen Smalley schrieb:
> >> I'm using Fedora 8 and would like to put types on various nodes.
> >> What would be the best way to do it since semanage seems to support
> >> doing nodecons on specific nodes.
> >>
> > I don't believe this is presently supported by semanage, although the
> > libsemanage infrastructure exists.
> >
> I've seen a older discussion on the NSA-SELinux mailinglist about that.
> The patch
> for semanage wasn't commited though.
> > However, I think what you likely want is to use secmark instead.
> > http://james-morris.livejournal.com/11010.htm
> Interesting article. Perhaps I could use this instead of nodecon but it
> seems much more
> complex than that. The only thing I want to accomplish is to have a way
> to restrict
> node_binds, so that specific programs can only open sockets on 127.0.0.1
> (f.i.).
Ok - then you do want node contexts.
As I recall, the patch posted to selinux list circa 2006 for adding
semanage node context support didn't actually work correctly and no one
chased it down. So if you want to revive it on selinux list and see if
we can hunt down the underlying issue, that might be worthwhile.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list