Re: filtering outgoing packets with SELinux and iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/23/2013 11:16 AM, Mark Montague wrote:
> On October 23, 2013 11:00 , Mark Montague <mark@xxxxxxxxxxx> wrote:
>> On October 23, 2013 10:28 , Konstantin Ryabitsev <icon@xxxxxxxxxxxxxxxxx>
>> wrote:
>>> I would like to be able to only allow httpd_myapp_script_t to connect
>>> to 192.168.1.1 port 443, but not any other IP address. This is actually
>>> quite common -- an application may need to make a REST call to some
>>> site, but it really has no business talking to any other hosts on the
>>> net.
>> 
>> # Restrict what things running under php-fpm can access.  We're using a #
>> local policy named phpfcgi here because Red Hat's policies include an #
>> alias of httpd_t for phpfpm_t, and if we use that then these rules would 
>> # prevent httpd from communicating with clients. -N PHPFPM -A OUTPUT -m
>> selinux --task-ctx system_u:system_r:phpfcgi_t:s0 -j PHPFPM
> 
> I should add that the local SELinux policy that I'm using for PHP-FPM is a 
> modified version of prometheanfire's work, which he has previous posted to
> this list:
> 
> https://github.com/prometheanfire/selinux-modules.git
> 
> I've renamed the types and added a couple extra allow rules for things that
> my installation of PHP-FPM needs to be able to do, but none of the
> modifications are related to restricting network traffic; the magic for
> that is all in the kernel module and iptables rules.
> 
> 
> -- Mark Montague mark@xxxxxxxxxxx -- selinux mailing list 
> selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
It is better that these types of questions go to the upstream SELinux list
<selinux@xxxxxxxxxxxxx>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJoDmYACgkQrlYvE4MpobOUZwCgp2J9uCiby7hpgdCJ6l+V4IjB
0e0An22kxst8CQsk70mqcftxUyBKmjKi
=/b1Z
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux