On October 23, 2013 10:28 , Konstantin Ryabitsev
I want to do it the other way around. Let's say I have a shared
hosting site where every client's application is running inside its
own SELinux domain (e.g. httpd_myapp_script_t). I would like to be
able to only allow httpd_myapp_script_t to connect to 192.168.1.1 port
443, but not any other IP address. This is actually quite common -- an
application may need to make a REST call to some site, but it really
has no business talking to any other hosts on the net.
I am doing this. My solution is bad because it uses a kernel module
that uses private SELinux data structures (and hence is both fragile and
unsupported), and because it goes against the SELinux goal of having all
security policy in a single place (some security policy winds up in the
iptables rules). I am very interested in any better solution that
SELinux experts can suggest.
My solution is to load the following iptables module:
...and then use iptables rules like this:
# Restrict what things running under php-fpm can access. We're using a
# local policy named phpfcgi here because Red Hat's policies include an
# alias of httpd_t for phpfpm_t, and if we use that then these rules would
# prevent httpd from communicating with clients.
-A OUTPUT -m selinux --task-ctx system_u:system_r:phpfcgi_t:s0 -j PHPFPM
-A PHPFPM -o lo -j ACCEPT
-A PHPFPM -4 -m set --match-set webapp-allow dst -j ACCEPT
-A PHPFPM -6 --destination ::1 -j ACCEPT
-A PHPFPM -j LOG --log-prefix "iptables rejected output: " --log-level 5
-A PHPFPM -j REJECT
Although I'm using a hash:net ipset in the example above, you could use
a hash:ip,port ipset instead to restrict traffic to certain destination
ports. Alternatively, just write the permitted addresses and ports
direclty into iptables rules.
I hope this helps.