next up previous contents
Next: 11.4 Inherit socket from Up: 11 Access control to Previous: 11.2 Usage of RAW   Contents

11.3 Usage of Network Interface(netif) and IP address(node)

Usage of netif/node is allowed by this. In default policy, it is allowed to all domains.
  1. Syntax
    1. allownet -protocol protocol -netif name of NIC permission;
      protocol: tcp,udp,raw and * can be specified, splitted by ,.
      name of NIC: NIC name(such as lo,eth0,eth1) splitted by ,.
      permission: send or recv splitted by , can be described.
    2. allownet -protocol protocol -node address permission;
      protocol: tcp,udp,raw and * can be specified, splitted by ,.
      address: ipv4address/netmask or * splitted by ,. Example: 192.168.0.1/255.255.255.0 . And * means all address.
      permission: send or recv splitted by , can be described.
  2. Meaning
    1. Allows to send or receive packet to/from NIC.
    2. Allows to send or receive packet to/from IP address.
  3. Example

    {
    domain httpd_t;
    allownet -protocol tcp  use;
    allownet -protocol tcp -port 80 server;
    allownet -netif eth0 send,recv;
    }
    --> httpd_t can use tcp socket and be server using TCP 80 port.
    And can send/recv packet to/from eth0.
    



2006-07-05