|
On 01/02/2016 04:59 PM, Andrei Cristian
Petcu wrote:
Hi Andrei! Yes,Hello, Not sure if this is the best place for n00b questions but here we go: How can I restrict a port to only a process? You could label specific port (like: network_port(foo, tcp,2345,s0) )[1] and create SELinux policy for your daemon(with label foo_t). In this policy you'll add the allow rule to listen just on specified port by you(like: corenet_tcp_bind_foo_port(foo_t) ). Now, process foo_t can listen on port labeled as foo_port_t. Which is what you want. You can use confined users and disable unconfined SELinux module to avoid unconfined processes on your system[2].Let's say I have FOO process that wants to listen to port 2345 and no other process on the machine to listen to it. Is it possible? The way I see it is that unconfined processes would still have access to that port, right? [1] https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/modules/kernel/corenetwork.te.in#L99My actual problem is that I want to make a mutual TLS connection between 2 unsecured apps that I am not a developer of. The apps (client/server) use a TCP based protocol that is not text based or related to HTTP. So I start a TLS tunel with stunel that listens to 2345 on localhost and forwards it to remote_machine port 2345. I want to be certain that other process can connect to localhost:2345 except my FOO process. foo_process ---> localhost:2345 ===> remote_machine:2345 ---> is insecure and I want to restrict ===> is mutual TLS over the network Is this possible? Is this a good solution? Thank you, Andrei Petcu [2] https://docs.fedoraproject.org/en-US/Fedora/22/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html Regards, Lukas. -- Lukas Vrabec SELinux Solutions Red Hat, Inc. |
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
