Thank you. That's what I understood from the documentation and I wanted to make sure I
got it right.
It is actually more logical this way, especially with tools like audit2allow.
Andrei
On January 12, 2016 11:36:38 PM GMT+02:00, Lukas Vrabec <lvrabec(a)redhat.com> wrote:
On 01/12/2016 09:29 PM, Lukas Vrabec wrote:
> On 01/12/2016 07:03 PM, Andrei Cristian Petcu wrote:
>> Thank you for your reply Lukas,
>> This seems like what I was looking for.
>>
>> So without removing all the unconfined users and processes I cannot
>> restrict it. I see SELinux policies have only allow and not deny.
>
>
> Policy logic is what is *not* allowed is denies by default. But you
can
> use neverallow rules. This kind of rule never allow specific rule,
even
> you allowing this somewhere in policy. You can try this.
Sorry, after some discussion with plautrba, this will not work. Use
confined users instead.
But I prefer
> using confined users on your system.
>
>
>> I wanted something like "deny all domains access to port X except
for
>> domain Y". From what I understand this is impossible, I need to
check
>> all the other processes's domains and make them more restrictive.
>>
>> Andrei
>>
>> On 01/05/2016 07:00 PM, Lukas Vrabec wrote:
>>> On 01/05/2016 11:40 AM, Lukas Vrabec wrote:
>>>> On 01/02/2016 04:59 PM, Andrei Cristian Petcu wrote:
>>>> Hi Andrei!
>>>>> Hello,
>>>>>
>>>>> Not sure if this is the best place for n00b questions but here we
go:
>>>>>
>>>>> How can I restrict a port to only a process?
>>>> Yes,
>>>> You could label specific port (like: network_port(foo,
tcp,2345,s0)
>>>> )[1]
>>>> and create SELinux policy for your daemon(with label foo_t).
>>>> In this policy you'll add the allow rule to listen just on
specified
>>>> port by you(like: corenet_tcp_bind_foo_port(foo_t) ).
>>>> Now, process foo_t can listen on port labeled as foo_port_t. Which
is
>>>> what you want.
>>>>> Let's say I have FOO process that wants to listen to port 2345
and no
>>>>> other process on the machine to listen to it. Is it possible? The
>>>>> way I
>>>>> see it is that unconfined processes would still have access to
that
>>>>> port, right?
>>>> You can use confined users and disable unconfined SELinux module
to
>>>> avoid unconfined processes on your system[2].
>>>>> My actual problem is that I want to make a mutual TLS connection
>>>>> between
>>>>> 2 unsecured apps that I am not a developer of. The apps
>>>>> (client/server)
>>>>> use a TCP based protocol that is not text based or related to
HTTP.
>>>>> So I
>>>>> start a TLS tunel with stunel that listens to 2345 on localhost
and
>>>>> forwards it to remote_machine port 2345. I want to be certain
that
>>>>> other
>>>>> process can connect to localhost:2345 except my FOO process.
>>>>>
>>>>> foo_process ---> localhost:2345 ===> remote_machine:2345
>>>>>
>>>>> ---> is insecure and I want to restrict
>>>>> ===> is mutual TLS over the network
>>>>>
>>>>> Is this possible? Is this a good solution?
>>>>>
>>>>> Thank you,
>>>>> Andrei Petcu
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> selinux mailing list
>>>>> selinux(a)lists.fedoraproject.org
>>>>>
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
>>>>>
>>>>>
>>>> [1]
>>>>
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy...
>>>>
>>>>
>>>>
>>>> [2]
>>>>
https://docs.fedoraproject.org/en-US/Fedora/22/html/SELinux_Users_and_Adm...
>>>>
>>>>
>>>>
>>>> Regards,
>>>> Lukas.
>>>>
>>>> --
>>>> Lukas Vrabec
>>>> SELinux Solutions
>>>> Red Hat, Inc.
>>>>
>>>>
>>>>
>>>> --
>>>> selinux mailing list
>>>> selinux(a)lists.fedoraproject.org
>>>>
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
>>>>
>>>>
>>>>
>>>
>>> Another way without recompiling distro policy package is following:
>>> In your policy for your daemon you define foo_port_t like:
>>>
>>> policy_module(foo, 1.0.0)
>>> ...
>>> ...
>>>
>>> type foo_t;
>>>
>>> type foo_port_t;
>>> corenet_port(foo_port_t)
>>>
>>> allow foo_t foo_port_t:tcp_socket name_bind;
>>>
>>>
>>> This create label for port you need to specified.
>>> Then using semanage tool add port type and number to port label
like:
>>> # semanage port -a -t foo_port_t -p tcp 2345
>>>
>>> Lukas.
>>>
>>
>>
>>
>>
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>>
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
>>
>>
>
> Regards,
> Lukas.
>
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.