Re: adding port restrictions to policy generated by sepolgen
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/11/2012 07:54 AM, Michael Atighetchi wrote:
Hi,
I have a question about how to restrict network access via
SELinux.I generated a policy via sepolgen on Fedora 14, and there
are some network specific rules and macros in it, for example:
corenet_tcp_bind_generic_node(CZtp_t)
corenet_tcp_connect_postgresql_port(CZtp_t)
corenet_tcp_connect_vnc_port(CZtp_t)
corenet_udp_bind_generic_node(CZtp_t)
allow CZtp_t self:tcp_socket { setopt read bind create accept
write getattr connect shutdown getopt listen }; allow CZtp_t
self:udp_socket { setopt read bind create ioctl write getattr
connect getopt };
Here is what I would like to change 1) Restrict privs so that the
process can only bind to a specific custom port, e.g., 2222
(controlled by my app) 2) Restrict privs so that the only processes
on the local machine allowed to connect to this port is in the same
domain as the process who created the listening socket (same policy
as above)
Is this doable?
Creating a daemon that can only bind to port 2222 is very doable.
sepolgen only will setup a framework to write policy, it can not
handle all situations. (selinux-polgengui, can handle this one BTW).
http://danwalsh.livejournal.com/10607.html
Explains how to do this.
Preventing all other domains from connecting to port 2222, is much
more difficult. You might have to turn on seclabel to achieve this.
Since there are many domains that are allowed to connect to all ports.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8NtfMACgkQrlYvE4MpobMAxwCfSILoTsa6lv9tP8c535BjC7oq
vFMAoJ66IvlQ+4aMR0QomQ3FWpJpMdmM
=1aMM
-----END PGP SIGNATURE-----