On 01/12/2016 07:03 PM, Andrei Cristian Petcu wrote:
Thank you for your reply Lukas,
This seems like what I was looking for.
So without removing all the unconfined users and processes I cannot
restrict it. I see SELinux policies have only allow and not deny.
Policy logic is what is *not* allowed is denies by default. But you can
use neverallow rules. This kind of rule never allow specific rule, even
you allowing this somewhere in policy. You can try this. But I prefer
using confined users on your system.
I wanted something like "deny all domains access to port X
except for
domain Y". From what I understand this is impossible, I need to check
all the other processes's domains and make them more restrictive.
Andrei
On 01/05/2016 07:00 PM, Lukas Vrabec wrote:
> On 01/05/2016 11:40 AM, Lukas Vrabec wrote:
>> On 01/02/2016 04:59 PM, Andrei Cristian Petcu wrote:
>> Hi Andrei!
>>> Hello,
>>>
>>> Not sure if this is the best place for n00b questions but here we go:
>>>
>>> How can I restrict a port to only a process?
>> Yes,
>> You could label specific port (like: network_port(foo, tcp,2345,s0) )[1]
>> and create SELinux policy for your daemon(with label foo_t).
>> In this policy you'll add the allow rule to listen just on specified
>> port by you(like: corenet_tcp_bind_foo_port(foo_t) ).
>> Now, process foo_t can listen on port labeled as foo_port_t. Which is
>> what you want.
>>> Let's say I have FOO process that wants to listen to port 2345 and no
>>> other process on the machine to listen to it. Is it possible? The way I
>>> see it is that unconfined processes would still have access to that
>>> port, right?
>> You can use confined users and disable unconfined SELinux module to
>> avoid unconfined processes on your system[2].
>>> My actual problem is that I want to make a mutual TLS connection between
>>> 2 unsecured apps that I am not a developer of. The apps (client/server)
>>> use a TCP based protocol that is not text based or related to HTTP. So I
>>> start a TLS tunel with stunel that listens to 2345 on localhost and
>>> forwards it to remote_machine port 2345. I want to be certain that other
>>> process can connect to localhost:2345 except my FOO process.
>>>
>>> foo_process ---> localhost:2345 ===> remote_machine:2345
>>>
>>> ---> is insecure and I want to restrict
>>> ===> is mutual TLS over the network
>>>
>>> Is this possible? Is this a good solution?
>>>
>>> Thank you,
>>> Andrei Petcu
>>>
>>>
>>>
>>> --
>>> selinux mailing list
>>> selinux(a)lists.fedoraproject.org
>>>
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
>>>
>> [1]
>>
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy...
>>
>>
>> [2]
>>
https://docs.fedoraproject.org/en-US/Fedora/22/html/SELinux_Users_and_Adm...
>>
>>
>> Regards,
>> Lukas.
>>
>> --
>> Lukas Vrabec
>> SELinux Solutions
>> Red Hat, Inc.
>>
>>
>>
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>>
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
>>
>>
>
> Another way without recompiling distro policy package is following:
> In your policy for your daemon you define foo_port_t like:
>
> policy_module(foo, 1.0.0)
> ...
> ...
>
> type foo_t;
>
> type foo_port_t;
> corenet_port(foo_port_t)
>
> allow foo_t foo_port_t:tcp_socket name_bind;
>
>
> This create label for port you need to specified.
> Then using semanage tool add port type and number to port label like:
> # semanage port -a -t foo_port_t -p tcp 2345
>
> Lukas.
>
--
selinux mailing list
selinux(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Regards,
Lukas.
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.