Hi, all:
Most of the selinux+iptables guides out there talk about using
iptables to label incoming packets, which would then be either allowed
or denied by the domain of the application.
I want to do it the other way around. Let's say I have a shared web
hosting site where every client's application is running inside its
own SELinux domain (e.g. httpd_myapp_script_t). I would like to be
able to only allow httpd_myapp_script_t to connect to 192.168.1.1 port
443, but not any other IP address. This is actually quite common -- an
application may need to make a REST call to some site, but it really
has no business talking to any other hosts on the net.
I can use standard approach to allow httpd_myapp_script_t to connect
to httpd_port_t, but this will allow it to talk to any host at all.
How would I write a policy that would label packets going out of
httpd_myapp_script_t (e.g. httpd_myapp_packet_t) and then use OUTPUT
rules to only allow such packets to go out to 192.168.1.1:443?
Has anyone done anything like that?
Best,
--
Konstantin Ryabitsev
LinuxFoundation.org
Montréal, Québec