Re: Firewall rules using SELinux context (Was Re: RFE: FireKit)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jul 24, 2009 at 5:49 PM, Roland McGrath<roland@xxxxxxxxxx> wrote:
> So I think most of us in this discussion probably don't actually understand
> SECMARK.  I sure didn't.  I think I might now, sort of.  The SELinux policy
> just says contexts, and it doesn't say anything about the port numbers.
> The point of SECMARK is that you write port-matching rules that are what
> sets the context on those packets.  You have to write those rules by hand
> (or somehow) or else there just aren't ever any packets anywhere that are
> marked with the right context so they match the SELinux policy for what the
> given daemon is allowed to see.
>
> So I think what one really wants is just a better level of admin/packaging
> coordination.  That is, you would really like to write in one place both
> the SELinux policy and the port numbers (i.e. iptables matching rules) you
[snip]

Not just port numbers.

For example.  I might want to confine CUPS to only speak to localhost
and 192.168.1.1/32; 192.168.10.1/32; 192.168.15.3/32, so that if
something running as cups_t is compromised it can only talk to my
print servers and not phone home or get messages from an external
botnet controller.

I think SECMARK can do this, but I think that it would require me to
change the SE linux policy to only allow cups_t to touch cups marked
packets.   I think this would be much easier to administer as pure
firewall rules, i.e.

-S 192.168.1.1/32 --dctx cups_t -j ACCEPT
...
--dctx cups_t -j REJECT

--sctx cups_t -D 192.168.1.1/32 -j ACCEPT
--sctx cups_t -j REJECT



As far as I can tell the only way to get the same general behavior
from SECMARK is it to make the SELINUX policy require the marking then
have a bunch of marking rules.  Then your apps break if the firewall
is not activated. I consider this a bootstrapping problem.

I'm also not sure how you could achieve multiple contexts being
permitted to access a particular set of traffic using secmark  nor can
I figure out how you could accomplish the output side.

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux