Restrict httpd network connections to a specific network interface?
Daniel J Walsh
dwalsh at redhat.com
Mon Mar 14 18:19:43 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/13/2011 02:31 PM, Mark Montague wrote:
> On March 13, 2011 14:18 , Dominick Grift <domg472 at gmail.com> wrote:
>>> No traffic is allowed through because httpd does not have
>>> permission for name_connect. And if I add a rule to permit this
>>> (equivalent to setting the httpd_can_network_connect boolean) then httpd
>>> can connect via ALL interfaces, not just via the loopback interface.
>> Yes but can it also use the connection? I mean if it can name_connect
>> but not really use the connection because it cant egress, ingress or
>> whatever then you may be able to achieve your goals also.
>
> Yes, my test script (running under httpd) is able to connect to a web
> server via all interfaces (including eth0) and retreive data if I permit
> name_connect, regardless of whether I'm labeling the loopback interface,
> labeling packets on the interface, or not doing anything else at all.
> I'd like for httpd to be able to do this but only via the loopback
> interface, specifically excluding eth0 and all other interfaces.
>
> I'm still investigating the feasibility of permitting all system calls
> and all ports, but labeling ALL packets to and from httpd via all
> interfaces. This seems like it would be a fairly big change to the
> httpd targeted policy, though, so any other suggestions are very welcome.
>
> --
> Mark Montague
> mark at catseye.org
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
I think you would need to define a type for all domain types to use it
except apache types
type genif_t;
allow (domain -httpd_t -http_sys_script_t) genif_t : netif {tcp_send
tcp_recv egress ingress };
semanage interface -a -t genif_t eth0
semanage interface -a -t loopbackif_t lo
I do not know if you can use regular expressions for the specifications.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1+XD8ACgkQrlYvE4MpobPXdgCgsdse1pW7Ay+ImTBQC6XKUh8K
w7QAoJ8ykbrIc/3lQ48drHnzgY8JXvSJ
=Vk18
-----END PGP SIGNATURE-----
More information about the selinux
mailing list