-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/11/2011 07:08 PM, Mark Montague wrote:
> Fedora 14, httpd is working correctly, however the
> httpd_can_network_connect boolean grants more access than I want. I'd
> like httpd to be able to open connections on any port, but only via a
> specific network interface (lo0) and no others (eth0, etc.), while still
> accepting HTTP connections on all interfaces.
>
> I've set up iptables to label all packets in and out of the loopback
> interface:
>
> iptables -t mangle -A INPUT -i lo -j SECMARK --selctx
> system_u:object_r:loopback_packet_t:s0
> iptables -t mangle -A OUTPUT -o lo -j SECMARK --selctx
> system_u:object_r:loopback_packet_t:s0
>
> and have permitted httpd to send and receive these:
>
> allow httpd_t loopback_packet_t:packet { send recv };
> allow httpd_sys_script_t loopback_packet_t:packet { send recv };
>
> But the problem is that this does not permit httpd to connect:
>
> type=AVC msg=audit(1299866424.466:17033): avc: denied { name_connect }
> for pid=28402 comm="test-script" dest=9000
> scontext=unconfined_u:system_r:httpd_sys_script_t:s0
> tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
>
> Adding the following TE rule of course permits httpd to connect via any
> interface (equivalent to turning on httpd_can_network_connect):
>
> allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
>
> What am I missing? Any suggestions? I've searched the web but haven't
> found anything. Thanks in advance for any help.
I do not have much experience with networking and dwalsh probably has a
better solution but consider the following:
you can label network interfaces (semanage interface ...) man semanage
the netif (network interface) object class takes the following
permissions (tcp example) ( tcp_send tcp_recv egress ingress )
domains by default can sendrecv ( tcp_send tcp_recv egress ingress )
(also udp) generic network interfaces (netif_t:netif)
So you could maybe declare one or more new network interface object types.
label your network interfaces with the new types using semanage interface
then use the tcp_send tcp_recv egress ingress permissions to achieve
what you want ( i am guessing you can use egress / ingress to allow
input /output)
Problem is that if you label your interfaces, that no domain can use it
unless you allow it.
May or may not work...
for udp its:
send: udp_send egress
receive: udp_recv ingress
i think you can use (example netif_lo_t):
network_interface(lo, lo, s0 - mls_systemhigh)
to declare a network interface type (the above example is for mls)
or maybe just:
type mynetworkinterace_t, netif_type;
... works just fine
Again, not sure if this will help you achieve what you want but it
should give you some more control. i guess its worth a try.
> --
> Mark Montague
> mark@xxxxxxxxxxx
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk16bDQACgkQMlxVo39jgT9OGgCfSpQkS2X8OGngWchz4jbQ+lWS
tgwAoLcbrY/1lAbQOFu2H2hR3M/c5Sqm
=BFfz
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
