i would probably use s0 - mls_systemhigh if possible for compatibility with mls policy
Noted.
Also, as part of the policy I wish to enable/restrict the program to connect on mysqld port, but ONLY on the local (lo) interface and then listen/bind on a predefined port but on the tun0 interface. How do I do that? There are 2 relevant macros in corenetwork.te.m4 for this:
corenet_tcp_bind_voip_sandbox_port(voip_sandbox_t) corenet_tcp_connect_mysqld_port(voip_sandbox_t)
those are unrelated to netif related policy. Basically when you declare a netif type there are probably interface create that provide access to your network interface type. That is what governs whether your app can or cannot use it. If your app cannot use a network interface, then it cannot use it to connect to mysqld.
You've lost me here.
In my policy I would need to do the following: 1) allow access to lo:mysqld, BUT restrict access to tun0:mysqld; and 2) allow bind on tun0:voip_sandbox, BUT restrict access to lo:voip_sandbox if such attempts are made.
In other words, both lo and tun0 as interfaces should be allowed (and properly labelled) - I presume with network_interface(..) - as mentioned in my previous post (every other access to another interface, if exist, should be restricted), though different ports should be enabled for different network interfaces.
The point I made above is that corenet_tcp_bind_$1_port and corenet_tcp_connect_$1 do not allow me to specify on which interface I need this to be allowed!
If I am able to decipher this macro I will certainly be able to create a group of statements for the 2 different interfaces, but as it stands I seem to be able to define voip_sandbox port binding on ANY interface as well as connecting to mysqld port also on ANY interface, which is not what I want.
The $1_$2 is probably some hack to make it work. its just the single parameter $3 (domain)
Is there any way I could 'expand' these statements and see what this really is made of?
If I manage to 'decipher' these I may restrict the above statements to the proper net device type if there is no suitable other macro found, but as it stands I am a bit stuck!
Like i said above the rule has nothing to do with network interfaces. It governs access for specified domain to connect to tcp ports.
Which is not what I need really as I would like to specify/govern access for specific domain to connect/bind to tcp ports on specific interface!
Also you've taken the above interface block from the template file. This file is used to automatically generate interfaces for declared port types.
What do you mean? I thought this is a part of the policy as statements from this file are used by a lot of policy modules, or are you saying this transforms to something else?