Re: adding port restrictions to policy generated by sepolgen

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Preventing all other domains from connecting to port 2222, is much
more difficult.
No, it's not! I have a very similar setup to what Michael describes in his post. This was prompted by a common theme running through all Fedora net policies for granting permissions to defined ports regardless of whether they are actually used/needed or not, including access to all ports - something which I was deeply unhappy about, though I accept that selinux-policy(-targeted) is not defined just for the set of machines I deploy, but for millions of other users, so that's fair enough, I suppose.
To avoid granting such permissions willy-nilly I redefined two aspects of the "default" Fedora policies: I've included a definition of a new type called 'pk_type' (instead of the "standard" packet_type used) and 'prt_type' (instead of the "standard" port_type). There are, generally speaking, 4 files responsible for all net policy definitions and further macro generation used throughout: corenetwork.te{.in,.m4} as well as corenetwork.if{.in,.m4}, so all I had to do is extend these definitions for the custom-defined prt_type and pk_type for the (custom) ports/packets used on my system (that would be 2222 in Michael's case) and that would be that, assuming he also alters the policy (or policies) of the domains who need access to this particular port - that is crucial. 


  You might have to turn on seclabel to achieve this.
Since there are many domains that are allowed to connect to all ports.
If seclabel is used, then a simple re-definition of pk_type from the "standard" packet_type would be enough. A word of warning though: "packet_type" is a parent of "server_packet_type" and "client_packet_type", so these types would also need to be redefined in order for packet_type restrictions to be useful. Also, simply redefining server_packet_type or client_packet_type won't be enough because I found that there are domains with "grant" permissions to the base "packet_type". 

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux