Re: How can I restrict a port to only a process?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/05/2016 11:40 AM, Lukas Vrabec wrote:
On 01/02/2016 04:59 PM, Andrei Cristian Petcu wrote:
Hi Andrei!
Hello,

Not sure if this is the best place for n00b questions but here we go:

How can I restrict a port to only a process?
Yes,
You could label specific port (like: network_port(foo, tcp,2345,s0) )[1]
and create SELinux policy for your daemon(with label foo_t).
In this policy you'll add the allow rule to listen just on specified
port by you(like: corenet_tcp_bind_foo_port(foo_t) ).
Now, process foo_t can listen on port labeled as foo_port_t. Which is
what you want.
Let's say I have FOO process that wants to listen to port 2345 and no
other process on the machine to listen to it. Is it possible? The way I
see it is that unconfined processes would still have access to that
port, right?
You can use confined users and disable unconfined SELinux module to
avoid unconfined processes on your system[2].
My actual problem is that I want to make a mutual TLS connection between
2 unsecured apps that I am not a developer of. The apps (client/server)
use a TCP based protocol that is not text based or related to HTTP. So I
start a TLS tunel with stunel that listens to 2345 on localhost and
forwards it to remote_machine port 2345. I want to be certain that other
process can connect to localhost:2345 except my FOO process.

foo_process ---> localhost:2345 ===> remote_machine:2345

---> is insecure and I want to restrict
===> is mutual TLS over the network

Is this possible? Is this a good solution?

Thank you,
Andrei Petcu



--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
[1]
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/modules/kernel/corenetwork.te.in#L99

[2]
https://docs.fedoraproject.org/en-US/Fedora/22/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html

Regards,
Lukas.

--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.



--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx


Another way without recompiling distro policy package is following:
In your policy for your daemon you define foo_port_t like:

policy_module(foo, 1.0.0)
...
...

type foo_t;

type foo_port_t;
corenet_port(foo_port_t)

allow foo_t foo_port_t:tcp_socket name_bind;


This create label for port you need to specified.
Then using semanage tool add port type and number to port label like:
# semanage port -a -t foo_port_t -p tcp 2345

Lukas.

--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux