Firewall rules using SELinux context (Was Re: RFE: FireKit)
sgrubb at redhat.com
Fri Jul 24 20:44:52 UTC 2009
On Friday 24 July 2009 03:47:51 pm Casey Dahlin wrote:
> A couple of mentions of SELinux have cropped up in the FireKit thread,
> which got me thinking about the Firewall and SELinux and ways in which they
> are similar. I had the following thought:
> SELinux already has a lot of policy information from which we might like to
> determine whether ports should be open to a particular program.
Just because selinux has policy doesn't mean the app is installed.
> The simplest mechanism I can see for doing that is to allow SELinux context
> to be referenced in the firewall rules. This prevents either system from
> having to be grotesquely modified.
> An example rule might look like this:
> -A INPUT -Z apache_t -j ACCEPT
> Here we tell the firewall to allow incoming traffic that will be
> intercepted in userspace by a process in the apache_t context.
I don't like this. Its not tying to any port. For example, suppose there is a
vulnerability in cups and apache is not running, the cups app could start
listening on other ports and the rule would allow connections.
> This does break in at least one way from traditional SELinux policy:
> something external to SELinux is interpreting the meaning of the context.
The kernel should always decide. Since this is a security mechanism that would
be part of our Common Criteria work it would have to play by the rules. If its
doing security enforcement, it will need to log AVCs.
I would recommend leaving IPTables as is. Its working great at what its
designed to do.
More information about the devel