It is actually more logical this way, especially with tools like audit2allow.
Andrei
On January 12, 2016 11:36:38 PM GMT+02:00, Lukas Vrabec <lvrabec@xxxxxxxxxx> wrote:
On 01/12/2016 09:29 PM, Lukas Vrabec wrote:On 01/12/2016 07:03 PM, Andrei Cristian Petcu wrote:Thank you for your reply Lukas,
This seems like what I was looking for.
So without removing all the unconfined users and processes I cannot
restrict it. I see SELinux policies have only allow and not deny.
Policy logic is what is *not* allowed is denies by default. But you can
use neverallow rules. This kind of rule never allow specific rule, even
you allowing this somewhere in policy. You can try this.
Sorry, after some discussion with plautrba, this will not work. Use
confined users instead.
But I preferusing confined users on your system.I wanted something like "deny all domains access to port X except for
domain Y". From what I understand this is impossible, I need to check
all the other processes's domains and make them more restrictive.
Andrei
On 01/05/2016 07:00 PM, Lukas Vrabec wrote:On 01/05/2016 11:40 AM, Lukas Vrabec wrote:On 01/02/2016 04:59 PM, Andrei Cristian Petcu wrote:
Hi Andrei!Hello,Yes,
Not sure if this is the best place for n00b questions but here we go:
How can I restrict a port to only a process?
You could label specific port (like: network_port(foo, tcp,2345,s0)
)[1]
and create SELinux policy for your daemon(with label foo_t).
In this policy you'll add the allow rule to listen just on specified
port by you(like: corenet_tcp_bind_foo_port(foo_t) ).
Now, process foo_t can listen on port labeled as foo_port_t. Which is
what you want.Let's say I have FOO process that wants to listen to port 2345 and noYou can use confined users and disable unconfined SELinux module to
other process on the machine to listen to it. Is it possible? The
way I
see it is that unconfined processes would still have access to th at
port, right?
avoid unconfined processes on your system[2].My actual problem is that I want to make a mutual TLS connection
between
2 unsecured apps that I am not a developer of. The apps
(client/server)
use a TCP based protocol that is not text based or related to HTTP.
So I
start a TLS tunel with stunel that listens to 2345 on localhost and
forwards it to remote_machine port 2345. I want to be certain that
other
process can connect to localhost:2345 except my FOO process.
foo_process ---> localhost:2345 ===> remote_machine:2345
---> is insecure and I want to restrict
===> is mutual TLS over the network
Is this possible? Is this a good solution?
Thank you,
Andrei Petcu
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
[1]
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/modules/kernel/corenetwork.te.in#L99
[2]
https://docs.fedoraproject.org/en-US/Fedora/22/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html
Regards,
Lukas.
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Another way without recompiling distro policy package is following:
In your policy for your daemon you define foo_port_t like:
policy_module(foo, 1.0.0)
...
...
type foo_t;
type foo_port_t;
corenet_port(foo_port_t)
allow foo_t foo_port_t:tcp_socket name_bind;
This create label for port you need to specified.
Then using semanage tool add port type and number to port label like:
# semanage port -a -t foo_port_t -p tcp 2345
Lukas.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Regards,
Lukas.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
