[redhat-lspp] Networking policy patch
Venkat Yekkirala
vyekkirala at TrustedCS.com
Wed Oct 4 13:05:15 UTC 2006
> +# netmsg is now used for the unconditional (and redundant
> when a packet has
> +# already been flow-controlled via [CONN]SECMARK) check that
> happens in the
> +# SELinux post_route_last netfilter hook for ALL network traffic.
> +# The following would need packet.flow_out access to network_t:
> +# a. Any domains needing to access the network bypassing
> (CONN)SECMARK.
The following also applies to item 'a' here:
These domains will also need packet.flow_in access to network_t.
> +# b. Outbound domains specified in the (CONN)SECMARK rule
> contexts specified
> +# via iptables. This shouldn't actually be needed (just
> like a packet.flow_in access
> +# of these domains to network_t isn't needed), but is
> currently required due to the
> +# underlying kernel implementation constraints.
> +type network_t;
> +sid netmsg
> gen_context(system_u:object_r:network_t,s0 - s15:c0.c255)
> +
>
More information about the redhat-lspp
mailing list