adding port restrictions to policy generated by sepolgen

Mr Dash Four mr.dash.four at googlemail.com
Wed Jan 11 17:22:35 UTC 2012 

> Preventing all other domains from connecting to port 2222, is much
> more difficult.
No, it's not! I have a very similar setup to what Michael describes in 
his post. This was prompted by a common theme running through all Fedora 
net policies for granting permissions to defined ports regardless of 
whether they are actually used/needed or not, including access to all 
ports - something which I was deeply unhappy about, though I accept that 
selinux-policy(-targeted) is not defined just for the set of machines I 
deploy, but for millions of other users, so that's fair enough, I suppose.

To avoid granting such permissions willy-nilly I redefined two aspects 
of the "default" Fedora policies: I've included a definition of a new 
type called 'pk_type' (instead of the "standard" packet_type used) and 
'prt_type' (instead of the "standard" port_type). There are, generally 
speaking, 4 files responsible for all net policy definitions and further 
macro generation used throughout: corenetwork.te{.in,.m4} as well as 
corenetwork.if{.in,.m4}, so all I had to do is extend these definitions 
for the custom-defined prt_type and pk_type for the (custom) 
ports/packets used on my system (that would be 2222 in Michael's case) 
and that would be that, assuming he also alters the policy (or policies) 
of the domains who need access to this particular port - that is crucial.

>   You might have to turn on seclabel to achieve this.
> Since there are many domains that are allowed to connect to all ports.
>   
If seclabel is used, then a simple re-definition of pk_type from the 
"standard" packet_type would be enough. A word of warning though: 
"packet_type" is a parent of "server_packet_type" and 
"client_packet_type", so these types would also need to be redefined in 
order for packet_type restrictions to be useful. Also, simply redefining 
server_packet_type or client_packet_type won't be enough because I found 
that there are domains with "grant" permissions to the base "packet_type".

More information about the selinux mailing list