Other uses of policy enhancements
Throughout the book, we covered quite a few technological features of SELinux. By creating our own SELinux policies, we can augment this further.
Creating customized SECMARK types
A use case for building our own policy is to create a custom SECMARK type and make sure that a particular domain is the only domain that is allowed to handle this communication.
The following SELinux rules create an invalid_packet_t type (to match packets that should not be sent out, for example, the PostgreSQL communication that is directed to the Internet rather than the internal network) and an intranet_packet_t type (to match packets being sent to an intranet server):
type invalid_packet_t; corenet_packet(invalid_packet_t) type intranet_packet_t; corenet_packet(intranet_packet_t)
With these rules loaded, we can now create SECMARK rules that label packets with invalid_packet_t and intranet_packet_t.
The next step is to allow certain domains to send and receive intranet_packet_t. For...
