[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Firewall rules using SELinux context (Was Re: RFE: FireKit)



On Fri, Jul 24, 2009 at 14:49:08 -0700,
  Roland McGrath <roland redhat com> wrote:
> SECMARK.  I sure didn't.  I think I might now, sort of.  The SELinux policy
> just says contexts, and it doesn't say anything about the port numbers.

If you really just want to use local ports, that is available in selinux
policy. I don't know if it only applies to listen, but there are port
restrictions for some apps. The SEMARK stuff is supposed to allow
you to have more complicated (maybe stateful) rules for labelling packets.
Besides that there is also a way to have labels in the packets themselves
so that you can use labelling accross a network. I don't know if Fedora
supports any of that, but at least some of the needed infrastructure
is already in the upstream kernel.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]