Thank you for your reply Lukas, This seems like what I was looking for. So without removing all the unconfined users and processes I cannot restrict it. I see SELinux policies have only allow and not deny. I wanted something like "deny all domains access to port X except for domain Y". From what I understand this is impossible, I need to check all the other processes's domains and make them more restrictive. Andrei On 01/05/2016 07:00 PM, Lukas Vrabec wrote: > On 01/05/2016 11:40 AM, Lukas Vrabec wrote: >> On 01/02/2016 04:59 PM, Andrei Cristian Petcu wrote: >> Hi Andrei! >>> Hello, >>> >>> Not sure if this is the best place for n00b questions but here we go: >>> >>> How can I restrict a port to only a process? >> Yes, >> You could label specific port (like: network_port(foo, tcp,2345,s0) )[1] >> and create SELinux policy for your daemon(with label foo_t). >> In this policy you'll add the allow rule to listen just on specified >> port by you(like: corenet_tcp_bind_foo_port(foo_t) ). >> Now, process foo_t can listen on port labeled as foo_port_t. Which is >> what you want. >>> Let's say I have FOO process that wants to listen to port 2345 and no >>> other process on the machine to listen to it. Is it possible? The way I >>> see it is that unconfined processes would still have access to that >>> port, right? >> You can use confined users and disable unconfined SELinux module to >> avoid unconfined processes on your system[2]. >>> My actual problem is that I want to make a mutual TLS connection between >>> 2 unsecured apps that I am not a developer of. The apps (client/server) >>> use a TCP based protocol that is not text based or related to HTTP. So I >>> start a TLS tunel with stunel that listens to 2345 on localhost and >>> forwards it to remote_machine port 2345. I want to be certain that other >>> process can connect to localhost:2345 except my FOO process. >>> >>> foo_process ---> localhost:2345 ===> remote_machine:2345 >>> >>> ---> is insecure and I want to restrict >>> ===> is mutual TLS over the network >>> >>> Is this possible? Is this a good solution? >>> >>> Thank you, >>> Andrei Petcu >>> >>> >>> >>> -- >>> selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> >> [1] >> https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/modules/kernel/corenetwork.te.in#L99 >> >> >> [2] >> https://docs.fedoraproject.org/en-US/Fedora/22/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html >> >> >> Regards, >> Lukas. >> >> -- >> Lukas Vrabec >> SELinux Solutions >> Red Hat, Inc. >> >> >> >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx >> >> > > Another way without recompiling distro policy package is following: > In your policy for your daemon you define foo_port_t like: > > policy_module(foo, 1.0.0) > ... > ... > > type foo_t; > > type foo_port_t; > corenet_port(foo_port_t) > > allow foo_t foo_port_t:tcp_socket name_bind; > > > This create label for port you need to specified. > Then using semanage tool add port type and number to port label like: > # semanage port -a -t foo_port_t -p tcp 2345 > > Lukas. >
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
