-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 07:08 PM, Mark Montague wrote:
Fedora 14, httpd is working correctly, however the httpd_can_network_connect boolean grants more access than I want. I'd like httpd to be able to open connections on any port, but only via a specific network interface (lo0) and no others (eth0, etc.), while still accepting HTTP connections on all interfaces.
I've set up iptables to label all packets in and out of the loopback interface:
iptables -t mangle -A INPUT -i lo -j SECMARK --selctx system_u:object_r:loopback_packet_t:s0 iptables -t mangle -A OUTPUT -o lo -j SECMARK --selctx system_u:object_r:loopback_packet_t:s0
and have permitted httpd to send and receive these:
allow httpd_t loopback_packet_t:packet { send recv }; allow httpd_sys_script_t loopback_packet_t:packet { send recv };
But the problem is that this does not permit httpd to connect:
type=AVC msg=audit(1299866424.466:17033): avc: denied { name_connect } for pid=28402 comm="test-script" dest=9000 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
Adding the following TE rule of course permits httpd to connect via any interface (equivalent to turning on httpd_can_network_connect):
allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
What am I missing? Any suggestions? I've searched the web but haven't found anything. Thanks in advance for any help.
I do not have much experience with networking and dwalsh probably has a better solution but consider the following:
you can label network interfaces (semanage interface ...) man semanage
the netif (network interface) object class takes the following permissions (tcp example) ( tcp_send tcp_recv egress ingress )
domains by default can sendrecv ( tcp_send tcp_recv egress ingress ) (also udp) generic network interfaces (netif_t:netif)
So you could maybe declare one or more new network interface object types.
label your network interfaces with the new types using semanage interface
then use the tcp_send tcp_recv egress ingress permissions to achieve what you want ( i am guessing you can use egress / ingress to allow input /output)
Problem is that if you label your interfaces, that no domain can use it unless you allow it.
May or may not work...
for udp its:
send: udp_send egress receive: udp_recv ingress
i think you can use (example netif_lo_t):
network_interface(lo, lo, s0 - mls_systemhigh)
to declare a network interface type (the above example is for mls)
or maybe just:
type mynetworkinterace_t, netif_type;
... works just fine
Again, not sure if this will help you achieve what you want but it should give you some more control. i guess its worth a try.
-- Mark Montague mark@catseye.org
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux