[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

RE: using selinux to allow only certain hosts or networks

From: "Clarkson, Mike R \(US SSA\)" <mike clarkson baesystems com>
To: "Doug Sikora" <dsikora redhat com>
Cc: fedora-selinux-list redhat com
Subject: RE: using selinux to allow only certain hosts or networks
Date: Thu, 11 Dec 2008 09:57:55 -0800

I've never done it but I think you can accomplish what you want by
setting up netfilter rules using iptables to label the incoming packets
from the specific hosts/networks that you wish to allow. Since ip
addresses can be spoofed, it won't be very secure unless you use ipsec. 

Josh Brindle wrote a good article on secure networking with SELinux:
http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinu
x/


> -----Original Message-----
> From: fedora-selinux-list-bounces redhat com
[mailto:fedora-selinux-list-
> bounces redhat com] On Behalf Of Doug Sikora
> Sent: Tuesday, December 09, 2008 6:16 AM
> To: fedora-selinux-list redhat com
> Subject: using selinux to allow only certain hosts or networks
> 
> The below rules came from audit2allow,
> 
> allow test_t inaddr_any_node_t:tcp_socket node_bind;
> allow test_t inaddr_any_node_t:udp_socket node_bind;
> 
> Instead of allowing "any_node" I would like to limit this to specific
> hosts and or networks.
> 
> Does anyone know the syntax for this?
> 
> Thanks
> Doug
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]