filtering outgoing packets with SELinux and iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi, all:

Most of the selinux+iptables guides out there talk about using
iptables to label incoming packets, which would then be either allowed
or denied by the domain of the application.

I want to do it the other way around. Let's say I have a shared web
hosting site where every client's application is running inside its
own SELinux domain (e.g. httpd_myapp_script_t). I would like to be
able to only allow httpd_myapp_script_t to connect to 192.168.1.1 port
443, but not any other IP address. This is actually quite common -- an
application may need to make a REST call to some site, but it really
has no business talking to any other hosts on the net.

I can use standard approach to allow httpd_myapp_script_t to connect
to httpd_port_t, but this will allow it to talk to any host at all.
How would I write a policy that would label packets going out of
httpd_myapp_script_t (e.g. httpd_myapp_packet_t) and then use OUTPUT
rules to only allow such packets to go out to 192.168.1.1:443?

Has anyone done anything like that?

Best,
-- 
Konstantin Ryabitsev
LinuxFoundation.org
Montréal, Québec
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux