Allow internet/network access based on binary -- ask user for permission if a binary wants to connect to the internet

Stephen Gallagher sgallagh at redhat.com
Wed Dec 10 12:55:21 UTC 2014




On Tue, 2014-12-09 at 08:39 -0500, Daniel J Walsh wrote:
> You can do this with SELinux and confined users somewhat.
> 
> YOU basically could setup a user as xguest with no network access and
> then write
> policy to transition to certain domains that can use the internet.  No
> ability to prompt the user
> though.
> 
> This will get you most of the way you want to go, but somethings can be
> tricky.
> 
> Also lots of apps contact the network just by calling getpw* calls, if
> you have certain settings in nsswitch.


And by "certain settings" he means "default settings", because
nsswitch.conf defaults to using the 'dns' library for host lookup, which
means that any gethostby*() call will hit the network.

As for users and groups, most modern systems don't hit the network
directly anymore. The SSSD, Winbind and nss-pam-ldapd projects all
provide a separate, privileged daemon to perform the actual network
lookup, meaning that the application doesn't do it directly.

Now, if the system is using the old nss_ldap instead of nss-pam-ldapd,
that could be an issue, but I don't think we even ship that in Fedora
anymore.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141210/79e5aad4/attachment.sig>


More information about the devel mailing list