[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: using selinux to allow only certain hosts or networks
- From: Stephen Smalley <sds tycho nsa gov>
- To: Doug Sikora <dsikora redhat com>
- Cc: fedora-selinux-list redhat com
- Subject: Re: using selinux to allow only certain hosts or networks
- Date: Thu, 11 Dec 2008 14:32:48 -0500
On Tue, 2008-12-09 at 09:15 -0500, Doug Sikora wrote:
> The below rules came from audit2allow,
>
> allow test_t inaddr_any_node_t:tcp_socket node_bind;
> allow test_t inaddr_any_node_t:udp_socket node_bind;
>
> Instead of allowing "any_node" I would like to limit this to specific hosts and or networks.
>
> Does anyone know the syntax for this?
Note that the check above is only dealing with binding to an address,
not sending/receiving packets. Is binding what you want to limit to
specific addresses?
If so, you need to define types for the addresses (via local policy
module) and map the addresses to those types (via semanage node).
--
Stephen Smalley
National Security Agency
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]