On 08/29/2010 08:38 PM, Mr Dash Four wrote:
example:
corenet_tcp_sendrecv_lo_if(myapp_t) corenet_tcp_connect_mysqld_port(myapp_t)
It means myapp_t can only tcp sendrecv on netif_lo_t. And it can connect to mysqld tcp ports.
so:
It can only connect to mysqld tcp ports using the lo interface because thats the only interface it can tcp sendrecv.
Yeah, but as part of the same policy I also need to bind to and send/receive tcp packets on the tun0 interface (as I posted before - I need 2 active interfaces)! Where does that go if I have to use the bind statement?
So you would additionally add:
corenet_tcp_sendrecv_tun0_if(myapp_t) corenet_tcp_bind_mysqld_port(myapp_t)
That would allow myapp_t to also tcp sendrecv tun0 network interface. and it would allow myapp_t to bind tcp sockets to mysqld ports.
But i think i see where this is going:
Because now myapp_t can also connect to mysqld ports via the tun0 network interface. Something you probably wanted to prevent.
Additionally now myapp_t can also listen on the lo network interface. Also something you probably wanted to prevent.
I am not sure how to best deal with this problem.
Not to mention, that if I need to, say, connect and send/receive packets on the https port on tun0 as part of the same policy - and therefore need to add another 'corenet_tcp_connect_https_port' statement - where would this go and which interface would be 'enabled' this on?
Your example above is fine if I only need one interface to connect to and send/receive packets. That is not the case here!
Good question that i cannot answer.
What do you mean? I thought this is a part of the policy as statements from this file are used by a lot of policy modules, or are you saying this transforms to something else?
I mean the corenetwork module works a bit different than the common modules. In that it uses a template to generate interfaces for declared port types automatically. Thats where it uses the file you were looking at for. Its not an normal interface file and it should not be used manually. Theres a script in refpolicy that does it for you.
All you need to do is declare network object types and build the policy, then the script will generate the interfaces for you, unlike it does with most other modules.
Is there a way I could see the 'expanded' version of this as this would be the key for me to use these statements in my policy file - just in case I run out of alternatives?
get refpolicy and build it. if will generate a corenetwork.if file.