Firewall rules using SELinux context (Was Re: RFE: FireKit)
Bruno Wolff III
bruno at wolff.to
Sat Jul 25 13:09:20 UTC 2009
On Fri, Jul 24, 2009 at 14:49:08 -0700,
Roland McGrath <roland at redhat.com> wrote:
> SECMARK. I sure didn't. I think I might now, sort of. The SELinux policy
> just says contexts, and it doesn't say anything about the port numbers.
If you really just want to use local ports, that is available in selinux
policy. I don't know if it only applies to listen, but there are port
restrictions for some apps. The SEMARK stuff is supposed to allow
you to have more complicated (maybe stateful) rules for labelling packets.
Besides that there is also a way to have labels in the packets themselves
so that you can use labelling accross a network. I don't know if Fedora
supports any of that, but at least some of the needed infrastructure
is already in the upstream kernel.
More information about the fedora-devel-list
mailing list