Re: Restrict httpd network connections to a specific network interface?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



  On March 27, 2011 12:21 , Mark Montague <mark@xxxxxxxxxxx>  wrote:
> The requirements are:
>
> 1. Allow httpd to serve any requests on ports 80 and 443 from any
> network interface.
> 2. Allow httpd and its scripts (CGIs) to access any resource (databases,
> back-end content web servers, etc.) on the local machine via the
> loopback interface.
> 3. Prohibit any other traffic from httpd.  Specifically, do not allow
> any access by either httpd or its scripts to resources on remote
> (untrusted) machines.
> 4. Do not affect any other service or user running on the machine.
>
> I haven't been able to solve the problem by labeling interfaces, yet --
> requirement 1 keeps getting in my way.
>
> However, I was able to solve the problem by labeling packets.

I was also able to solve the problem another way, using a netfilter 
module:  http://github.com/markmont/xt_selinux   This has the advantage 
of allowing more flexible action than just an AVC denial (for example, 
sending a TCP reset to get a script such as curl to immediately give up 
and exit).  But it is a horrible, hacky solution that brutalizes the 
SELinux LSM, is extremely fragile, and probably should not exist -- I'd 
like to apologize for that right now.  But I thought it would be a 
useful thing to present for the sake of academic discussion.

Here are the commands (no local policy is needed, if you don't count the 
boolean):

setsebool -P httpd_can_network_connect=on

# Allow loopback device traffic to/from all services or users:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Accept incoming web server traffic:
iptables -A INPUT -p tcp -m multiport --dports 80,443 \
     -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Silently block all other incoming traffic:
iptables -A INPUT -j DROP

# httpd is already allowed (by the rules above) to send any traffic
# via the loopback device in order to access various local resources.
# Also allow httpd to respond to incoming web server traffic (for
# which we've already accepted the input, above).  Prohibit httpd
# from sending any other outbound traffic.
iptables -N HTTPD_OUT
iptables -A OUTPUT -m selinux --task-ctx system_u:system_r:httpd_t:s0 \
     -j HTTPD_OUT
iptables -A HTTPD_OUT -m conntrack --ctstate RELATED,ESTABLISHED \
     -j ACCEPT
iptables -A HTTPD_OUT -j REJECT

# Web server scripts (CGIs) are already allowed (by a rule above) to
# send any traffic through the loopback device in order to access
# various local resources.  But prohibit scripts from accessing
# anything else (such as remote machines).
iptables -A OUTPUT \
     -m selinux --task-ctx system_u:system_r:httpd_sys_script_t:s0 \
     -j REJECT

# Permit all other services and users on the machine to send outbound
# traffic without restriction:
iptables -A OUTPUT -j ACCEPT


For the record, I'm not using the above solution myself: I'm using the 
SECMARK-based solution that I described in my previous message:  
http://lists.fedoraproject.org/pipermail/selinux/2011-March/013612.html

The xt_owner netfilter module used to support iptables matching against 
security contexts back in 2.6.13.  I'm assuming that there is no 
interest in devising the "right way" to restore this functionality long 
term, since this would allow "policy" in multiple places.  But if I'm 
wrong, please let me know -- I'd be happy to take a shot at proposing 
and writing new LSM hooks to properly support netfilter-based security 
context matching that worked with all applicable LSMs.

--
   Mark Montague
   mark@xxxxxxxxxxx

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux