Restrict httpd network connections to a specific network interface?
Mark Montague
mark at catseye.org
Sun Mar 13 18:31:21 UTC 2011
On March 13, 2011 14:18 , Dominick Grift <domg472 at gmail.com> wrote:
>> No traffic is allowed through because httpd does not have
>> permission for name_connect. And if I add a rule to permit this
>> (equivalent to setting the httpd_can_network_connect boolean) then httpd
>> can connect via ALL interfaces, not just via the loopback interface.
> Yes but can it also use the connection? I mean if it can name_connect
> but not really use the connection because it cant egress, ingress or
> whatever then you may be able to achieve your goals also.
Yes, my test script (running under httpd) is able to connect to a web
server via all interfaces (including eth0) and retreive data if I permit
name_connect, regardless of whether I'm labeling the loopback interface,
labeling packets on the interface, or not doing anything else at all.
I'd like for httpd to be able to do this but only via the loopback
interface, specifically excluding eth0 and all other interfaces.
I'm still investigating the feasibility of permitting all system calls
and all ports, but labeling ALL packets to and from httpd via all
interfaces. This seems like it would be a fairly big change to the
httpd targeted policy, though, so any other suggestions are very welcome.
--
Mark Montague
mark at catseye.org
More information about the selinux
mailing list