On Thu, 2005-04-14 at 16:33 -0400, Steve Brueckner wrote: > I need to lock down the local interprocess communications (sockets, pipes, > shared memory...) for a few untrusted applications under the targeted > policy. For example, I want to write policies for Mozilla and Eclipse such > that Eclipse may connect to Mozilla's tcp socket 80 via loopback, but > Eclipse may not connect to any other process's tcp socket 80 via loopback. > Same thing goes for other methods of IPC. You mean apache rather than mozilla, right? > I suspect this means I have to figure out how to label sockets and the like > with special contexts as they are created. Am I on the right track here? > If so, how would I adjust my policies to label these IPC resources on a > per-process basis? Or is this not do-able with SELinux? You can control network communication (loopback or otherwise) via the permission checks between the sending socket security context and the security contexts of the network interface, the destination host, and the destination port. These are the netif and node tcp_send permissions and the tcp_socket send_msg permission. Sockets are labeled in accordance with the creating process, so you just need to define a domain for eclipse. > What I'm proposing here is a little more involved than most of the SELinux > documentation I've found online, so any good resources would be appreciated. > Of course, the more that is spelled out for me in a direct reply the bigger > my head start > will be. At this point I don't even know where to begin. Possible resources: The RHEL4 SELinux Guide, http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ - Understanding and Customizing the Apache HTTP SELinux Policy, http://fedora.redhat.com/docs/selinux-apache-fc3/ - Sourceforge SELinux HOWTOs http://sourceforge.net/docman/?group_id=21266 - SELinux: NSA's Open Source Security Enhanced Linux by Bill McCarty, http://www.oreilly.com/catalog/selinux/ - Tresys Technology Policy Writing Course Slides, http://www.tresys.com/selinux/selinux-course-outline.html - Configuring the SELinux Policy, http://www.nsa.gov/selinux/papers/policy2-abs.cfm -- Stephen Smalley <sds@xxxxxxxxxxxxx> National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
