On October 23, 2013 11:00 , Mark Montague <mark@xxxxxxxxxxx> wrote:
On October 23, 2013 10:28 , Konstantin Ryabitsev
<icon@xxxxxxxxxxxxxxxxx> wrote:
I would like to be
able to only allow httpd_myapp_script_t to connect to 192.168.1.1 port
443, but not any other IP address. This is actually quite common -- an
application may need to make a REST call to some site, but it really
has no business talking to any other hosts on the net.
# Restrict what things running under php-fpm can access. We're using a
# local policy named phpfcgi here because Red Hat's policies include an
# alias of httpd_t for phpfpm_t, and if we use that then these rules
would
# prevent httpd from communicating with clients.
-N PHPFPM
-A OUTPUT -m selinux --task-ctx system_u:system_r:phpfcgi_t:s0 -j PHPFPM
I should add that the local SELinux policy that I'm using for PHP-FPM is
a modified version of prometheanfire's work, which he has previous
posted to this list:
https://github.com/prometheanfire/selinux-modules.git
I've renamed the types and added a couple extra allow rules for things
that my installation of PHP-FPM needs to be able to do, but none of the
modifications are related to restricting network traffic; the magic for
that is all in the kernel module and iptables rules.
--
Mark Montague
mark@xxxxxxxxxxx
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
