Re: Firewall rules using SELinux context (Was Re: RFE: FireKit)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/24/2009 04:44 PM, Steve Grubb wrote:
> On Friday 24 July 2009 03:47:51 pm Casey Dahlin wrote:
>> A couple of mentions of SELinux have cropped up in the FireKit thread,
>> which got me thinking about the Firewall and SELinux and ways in which they
>> are similar. I had the following thought:
>>
>> SELinux already has a lot of policy information from which we might like to
>> determine whether ports should be open to a particular program.
> 
> Just because selinux has policy doesn't mean the app is installed.
> 

If the app is not installed nothing is running in its context, so none of the rules will ever trigger.

> 
>> The simplest mechanism I can see for doing that is to allow SELinux context
>> to be referenced in the firewall rules. This prevents either system from
>> having to be grotesquely modified.
>>
>> An example rule might look like this:
>>
>> -A INPUT -Z apache_t -j ACCEPT
>>
>> Here we tell the firewall to allow incoming traffic that will be
>> intercepted in userspace by a process in the apache_t context.
> 
> I don't like this. Its not tying to any port. For example, suppose there is a 
> vulnerability in cups and apache is not running, the cups app could start 
> listening on other ports and the rule would allow connections.
> 

Only if cups were running in the apache_t context.

You seem to not quite be getting what I'm saying. What is it you expect that rule /does/ accomplish if not prevent the situation you describe?

--CJD

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux