Restrict httpd network connections to a specific network interface?

Dominick Grift domg472 at gmail.com
Sun Mar 13 18:18:23 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/13/2011 07:15 PM, Mark Montague wrote:
>   On March 11, 2011 13:38 , Dominick Grift <domg472 at gmail.com>  wrote:
>> On 03/11/2011 07:08 PM, Mark Montague wrote:
>>> Fedora 14, httpd is working correctly, however the
>>> httpd_can_network_connect boolean grants more access than I want.  I'd
>>> like httpd to be able to open connections on any port, but only via a
>>> specific network interface (lo0) and no others (eth0, etc.), while still
>>> accepting HTTP connections on all interfaces.
>>>
>>>
>>>
>>>
>>> So you could maybe declare one or more new network interface object types.
>>>
>>> label your network interfaces with the new types using semanage interface
>>>
>>> then use the tcp_send tcp_recv egress ingress permissions to achieve
>>> what you want ( i am guessing you can use egress / ingress to allow
>>> input /output)
> 
> Thanks for the reply, Dominic.  I added the following as a local module:
> 
> type loopbackif_t;
> allow httpd_t loopbackif_t : netif {tcp_send tcp_recv egress ingress };
> allow httpd_sys_script_t loopbackif_t : netif {tcp_send tcp_recv egress 
> ingress};
> 
> And then ran:
> 
> semanage interface -a -t loopbackif_t lo
> 
> Unfortunately, the result is the same as for labeling packets on the 
> interface:  No traffic is allowed through because httpd does not have 
> permission for name_connect.  And if I add a rule to permit this 
> (equivalent to setting the httpd_can_network_connect boolean) then httpd 
> can connect via ALL interfaces, not just via the loopback interface.

Yes but can it also use the connection? I mean if it can name_connect
but not really use the connection because it cant egress, ingress or
whatever then you may be able to achieve your goals also.

not sure though.

> Does anyone have any other ideas or suggestions?  In the meantime, I'll 
> investigate whether it might be possible to change the targeted policy 
> for httpd to use only packet labels for controlling network traffic 
> instead of limiting system calls and ports.
> 
> --
>    Mark Montague
>    mark at catseye.org
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk19Cm8ACgkQMlxVo39jgT979wCfV+GmwAfFRRQ3LVaR7QVDLBsY
qpcAoK+ccfrKmseIWRgGLq/kyKJ/QDNw
=Cj7h
-----END PGP SIGNATURE-----

More information about the selinux mailing list