Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...
|
Re: default deny for uncofined_t using targeted?: msg#00130
|
Subject: |
Re: default deny for uncofined_t using targeted? |
Stephen Smalley wrote:
On Thu, 2005-11-17 at 18:32 -0500, Steve Brueckner wrote:
Can anyone tell me if there is a way to use SELinux under the targeted
policy to enforce a default deny rule that prevents all processes from
accessing the network? That is to say, all types including unconfined_t may
not access eth0, with just a few excepted types that are allowed to network?
I'm trying to lock down a system from the inside without having to deal with
the strict policy.
SELinux denies anything that isn't explicitly allowed, so this is just a
matter of modifying the policy to not allow such network access in the
first place, e.g.
- remove the network-related rules from the
policy/macros/global_macros.te:unconfined_domain() macro,
- remove all uses of the network macros from the other .te files except
where you want to preserve such access, or remove the allow rules from
the network macros (policy/macros/network_macros.te) and then add them
back selectively to the desired domains.
Won't that kill all network access, including via localhost, rather than
just eth0 access?
Paul.
|
| |
