Restrict httpd network connections to a specific network interface?
Mark Montague
mark at catseye.org
Fri Mar 11 18:08:33 UTC 2011
Fedora 14, httpd is working correctly, however the
httpd_can_network_connect boolean grants more access than I want. I'd
like httpd to be able to open connections on any port, but only via a
specific network interface (lo0) and no others (eth0, etc.), while still
accepting HTTP connections on all interfaces.
I've set up iptables to label all packets in and out of the loopback
interface:
iptables -t mangle -A INPUT -i lo -j SECMARK --selctx
system_u:object_r:loopback_packet_t:s0
iptables -t mangle -A OUTPUT -o lo -j SECMARK --selctx
system_u:object_r:loopback_packet_t:s0
and have permitted httpd to send and receive these:
allow httpd_t loopback_packet_t:packet { send recv };
allow httpd_sys_script_t loopback_packet_t:packet { send recv };
But the problem is that this does not permit httpd to connect:
type=AVC msg=audit(1299866424.466:17033): avc: denied { name_connect }
for pid=28402 comm="test-script" dest=9000
scontext=unconfined_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
Adding the following TE rule of course permits httpd to connect via any
interface (equivalent to turning on httpd_can_network_connect):
allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
What am I missing? Any suggestions? I've searched the web but haven't
found anything. Thanks in advance for any help.
--
Mark Montague
mark at catseye.org
More information about the selinux
mailing list