Restrict httpd network connections to a specific network interface?

Daniel J Walsh dwalsh at redhat.com
Mon Mar 14 18:19:43 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/13/2011 02:31 PM, Mark Montague wrote:
>   On March 13, 2011 14:18 , Dominick Grift <domg472 at gmail.com>  wrote:
>>> No traffic is allowed through because httpd does not have
>>> permission for name_connect.  And if I add a rule to permit this
>>> (equivalent to setting the httpd_can_network_connect boolean) then httpd
>>> can connect via ALL interfaces, not just via the loopback interface.
>> Yes but can it also use the connection? I mean if it can name_connect
>> but not really use the connection because it cant egress, ingress or
>> whatever then you may be able to achieve your goals also.
> 
> Yes, my test script (running under httpd) is able to connect to a web 
> server via all interfaces (including eth0) and retreive data if I permit 
> name_connect, regardless of whether I'm labeling the loopback interface, 
> labeling packets on the interface, or not doing anything else at all.  
> I'd like for httpd to be able to do this but only via the loopback 
> interface, specifically excluding eth0 and all other interfaces.
> 
> I'm still investigating the feasibility of permitting all system calls 
> and all ports, but labeling ALL packets to and from httpd via all 
> interfaces.  This seems like it would be a fairly big change to the 
> httpd targeted policy, though, so any other suggestions are very welcome.
> 
> --
>    Mark Montague
>    mark at catseye.org
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 


I think you would need to define a type for all domain types to use it
except apache types


type genif_t;
allow (domain -httpd_t -http_sys_script_t) genif_t : netif {tcp_send
tcp_recv egress ingress };

semanage interface -a -t genif_t eth0
semanage interface -a -t loopbackif_t lo

I do not know if you can use regular expressions for the specifications.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1+XD8ACgkQrlYvE4MpobPXdgCgsdse1pW7Ay+ImTBQC6XKUh8K
w7QAoJ8ykbrIc/3lQ48drHnzgY8JXvSJ
=Vk18
-----END PGP SIGNATURE-----

More information about the selinux mailing list