-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/11/2011 07:08 PM, Mark Montague wrote:
Fedora 14, httpd is working correctly, however the
httpd_can_network_connect boolean grants more access than I want. I'd
like httpd to be able to open connections on any port, but only via a
specific network interface (lo0) and no others (eth0, etc.), while still
accepting HTTP connections on all interfaces.
I've set up iptables to label all packets in and out of the loopback
interface:
iptables -t mangle -A INPUT -i lo -j SECMARK --selctx
system_u:object_r:loopback_packet_t:s0
iptables -t mangle -A OUTPUT -o lo -j SECMARK --selctx
system_u:object_r:loopback_packet_t:s0
and have permitted httpd to send and receive these:
allow httpd_t loopback_packet_t:packet { send recv };
allow httpd_sys_script_t loopback_packet_t:packet { send recv };
But the problem is that this does not permit httpd to connect:
type=AVC msg=audit(1299866424.466:17033): avc: denied { name_connect }
for pid=28402 comm="test-script" dest=9000
scontext=unconfined_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
Adding the following TE rule of course permits httpd to connect via any
interface (equivalent to turning on httpd_can_network_connect):
allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
What am I missing? Any suggestions? I've searched the web but haven't
found anything. Thanks in advance for any help.
I do not have much experience with networking and dwalsh probably has a
better solution but consider the following:
you can label network interfaces (semanage interface ...) man semanage
the netif (network interface) object class takes the following
permissions (tcp example) ( tcp_send tcp_recv egress ingress )
domains by default can sendrecv ( tcp_send tcp_recv egress ingress )
(also udp) generic network interfaces (netif_t:netif)
So you could maybe declare one or more new network interface object types.
label your network interfaces with the new types using semanage interface
then use the tcp_send tcp_recv egress ingress permissions to achieve
what you want ( i am guessing you can use egress / ingress to allow
input /output)
Problem is that if you label your interfaces, that no domain can use it
unless you allow it.
May or may not work...
for udp its:
send: udp_send egress
receive: udp_recv ingress
i think you can use (example netif_lo_t):
network_interface(lo, lo, s0 - mls_systemhigh)
to declare a network interface type (the above example is for mls)
or maybe just:
type mynetworkinterace_t, netif_type;
... works just fine
Again, not sure if this will help you achieve what you want but it
should give you some more control. i guess its worth a try.
--
Mark Montague
mark(a)catseye.org
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAk16bDQACgkQMlxVo39jgT9OGgCfSpQkS2X8OGngWchz4jbQ+lWS
tgwAoLcbrY/1lAbQOFu2H2hR3M/c5Sqm
=BFfz
-----END PGP SIGNATURE-----