-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/13/2011 02:31 PM, Mark Montague wrote: > On March 13, 2011 14:18 , Dominick Grift <domg472@xxxxxxxxx> wrote: >>> No traffic is allowed through because httpd does not have >>> permission for name_connect. And if I add a rule to permit this >>> (equivalent to setting the httpd_can_network_connect boolean) then httpd >>> can connect via ALL interfaces, not just via the loopback interface. >> Yes but can it also use the connection? I mean if it can name_connect >> but not really use the connection because it cant egress, ingress or >> whatever then you may be able to achieve your goals also. > > Yes, my test script (running under httpd) is able to connect to a web > server via all interfaces (including eth0) and retreive data if I permit > name_connect, regardless of whether I'm labeling the loopback interface, > labeling packets on the interface, or not doing anything else at all. > I'd like for httpd to be able to do this but only via the loopback > interface, specifically excluding eth0 and all other interfaces. > > I'm still investigating the feasibility of permitting all system calls > and all ports, but labeling ALL packets to and from httpd via all > interfaces. This seems like it would be a fairly big change to the > httpd targeted policy, though, so any other suggestions are very welcome. > > -- > Mark Montague > mark@xxxxxxxxxxx > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > I think you would need to define a type for all domain types to use it except apache types type genif_t; allow (domain -httpd_t -http_sys_script_t) genif_t : netif {tcp_send tcp_recv egress ingress }; semanage interface -a -t genif_t eth0 semanage interface -a -t loopbackif_t lo I do not know if you can use regular expressions for the specifications. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1+XD8ACgkQrlYvE4MpobPXdgCgsdse1pW7Ay+ImTBQC6XKUh8K w7QAoJ8ykbrIc/3lQ48drHnzgY8JXvSJ =Vk18 -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
