Re: How can I restrict a port to only a process?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/12/2016 07:03 PM, Andrei Cristian Petcu wrote:
Thank you for your reply Lukas,
This seems like what I was looking for.

So without removing all the unconfined users and processes I cannot
restrict it. I see SELinux policies have only allow and not deny.


Policy logic is what is *not* allowed is denies by default. But you can use neverallow rules. This kind of rule never allow specific rule, even you allowing this somewhere in policy. You can try this. But I prefer using confined users on your system.


I wanted something like "deny all domains access to port X except for
domain Y". From what I understand this is impossible, I need to check
all the other processes's domains and make them more restrictive.

Andrei

On 01/05/2016 07:00 PM, Lukas Vrabec wrote:
On 01/05/2016 11:40 AM, Lukas Vrabec wrote:
On 01/02/2016 04:59 PM, Andrei Cristian Petcu wrote:
Hi Andrei!
Hello,

Not sure if this is the best place for n00b questions but here we go:

How can I restrict a port to only a process?
Yes,
You could label specific port (like: network_port(foo, tcp,2345,s0) )[1]
and create SELinux policy for your daemon(with label foo_t).
In this policy you'll add the allow rule to listen just on specified
port by you(like: corenet_tcp_bind_foo_port(foo_t) ).
Now, process foo_t can listen on port labeled as foo_port_t. Which is
what you want.
Let's say I have FOO process that wants to listen to port 2345 and no
other process on the machine to listen to it. Is it possible? The way I
see it is that unconfined processes would still have access to that
port, right?
You can use confined users and disable unconfined SELinux module to
avoid unconfined processes on your system[2].
My actual problem is that I want to make a mutual TLS connection between
2 unsecured apps that I am not a developer of. The apps (client/server)
use a TCP based protocol that is not text based or related to HTTP. So I
start a TLS tunel with stunel that listens to 2345 on localhost and
forwards it to remote_machine port 2345. I want to be certain that other
process can connect to localhost:2345 except my FOO process.

foo_process ---> localhost:2345 ===> remote_machine:2345

---> is insecure and I want to restrict
===> is mutual TLS over the network

Is this possible? Is this a good solution?

Thank you,
Andrei Petcu



--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx

[1]
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/modules/kernel/corenetwork.te.in#L99


[2]
https://docs.fedoraproject.org/en-US/Fedora/22/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html


Regards,
Lukas.

--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.



--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx



Another way without recompiling distro policy package is following:
In your policy for your daemon you define foo_port_t like:

policy_module(foo, 1.0.0)
...
...

type foo_t;

type foo_port_t;
corenet_port(foo_port_t)

allow foo_t foo_port_t:tcp_socket name_bind;


This create label for port you need to specified.
Then using semanage tool add port type and number to port label like:
# semanage port -a -t foo_port_t -p tcp 2345

Lukas.





--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx


Regards,
Lukas.

--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux