Restrict httpd network connections to a specific network interface?

[Mark Montague]

  On March 11, 2011 13:38 , Dominick Grift <domg472 at gmail.com>  wrote:
> On 03/11/2011 07:08 PM, Mark Montague wrote:
>> Fedora 14, httpd is working correctly, however the
>> httpd_can_network_connect boolean grants more access than I want.  I'd
>> like httpd to be able to open connections on any port, but only via a
>> specific network interface (lo0) and no others (eth0, etc.), while still
>> accepting HTTP connections on all interfaces.
>>
>>
>>
>>
>> So you could maybe declare one or more new network interface object types.
>>
>> label your network interfaces with the new types using semanage interface
>>
>> then use the tcp_send tcp_recv egress ingress permissions to achieve
>> what you want ( i am guessing you can use egress / ingress to allow
>> input /output)

Thanks for the reply, Dominic.  I added the following as a local module:

type loopbackif_t;
allow httpd_t loopbackif_t : netif {tcp_send tcp_recv egress ingress };
allow httpd_sys_script_t loopbackif_t : netif {tcp_send tcp_recv egress 
ingress};

And then ran:

semanage interface -a -t loopbackif_t lo

Unfortunately, the result is the same as for labeling packets on the 
interface:  No traffic is allowed through because httpd does not have 
permission for name_connect.  And if I add a rule to permit this 
(equivalent to setting the httpd_can_network_connect boolean) then httpd 
can connect via ALL interfaces, not just via the loopback interface.

Does anyone have any other ideas or suggestions?  In the meantime, I'll 
investigate whether it might be possible to change the targeted policy 
for httpd to use only packet labels for controlling network traffic 
instead of limiting system calls and ports.

--
   Mark Montague
   mark at catseye.org