On March 11, 2011 13:38 , Dominick Grift <domg472@xxxxxxxxx> wrote:
> On 03/11/2011 07:08 PM, Mark Montague wrote:
>> Fedora 14, httpd is working correctly, however the
>> httpd_can_network_connect boolean grants more access than I want. I'd
>> like httpd to be able to open connections on any port, but only via a
>> specific network interface (lo0) and no others (eth0, etc.), while still
>> accepting HTTP connections on all interfaces.
>>
>>
>>
>>
>> So you could maybe declare one or more new network interface object types.
>>
>> label your network interfaces with the new types using semanage interface
>>
>> then use the tcp_send tcp_recv egress ingress permissions to achieve
>> what you want ( i am guessing you can use egress / ingress to allow
>> input /output)
Thanks for the reply, Dominic. I added the following as a local module:
type loopbackif_t;
allow httpd_t loopbackif_t : netif {tcp_send tcp_recv egress ingress };
allow httpd_sys_script_t loopbackif_t : netif {tcp_send tcp_recv egress
ingress};
And then ran:
semanage interface -a -t loopbackif_t lo
Unfortunately, the result is the same as for labeling packets on the
interface: No traffic is allowed through because httpd does not have
permission for name_connect. And if I add a rule to permit this
(equivalent to setting the httpd_can_network_connect boolean) then httpd
can connect via ALL interfaces, not just via the loopback interface.
Does anyone have any other ideas or suggestions? In the meantime, I'll
investigate whether it might be possible to change the targeted policy
for httpd to use only packet labels for controlling network traffic
instead of limiting system calls and ports.
--
Mark Montague
mark@xxxxxxxxxxx
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
