adding port restrictions to policy generated by sepolgen
Michael Atighetchi
matighet at bbn.com
Wed Jan 11 12:54:32 UTC 2012
Hi,
I have a question about how to restrict network access via SELinux.I
generated a policy via sepolgen on Fedora 14, and there are some network
specific rules and macros in it, for example:
corenet_tcp_bind_generic_node(CZtp_t)
corenet_tcp_connect_postgresql_port(CZtp_t)
corenet_tcp_connect_vnc_port(CZtp_t)
corenet_udp_bind_generic_node(CZtp_t)
allow CZtp_t self:tcp_socket { setopt read bind create accept write
getattr connect shutdown getopt listen };
allow CZtp_t self:udp_socket { setopt read bind create ioctl write
getattr connect getopt };
Here is what I would like to change
1) Restrict privs so that the process can only bind to a specific custom
port, e.g., 2222 (controlled by my app)
2) Restrict privs so that the only processes on the local machine
allowed to connect to this port is in the same domain as the process who
created the listening socket (same policy as above)
Is this doable?
--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet at bbn.com
More information about the selinux
mailing list