On October 23, 2013 11:00 , Mark Montague mark@catseye.org wrote:
On October 23, 2013 10:28 , Konstantin Ryabitsev icon@fedoraproject.org wrote:
I would like to be able to only allow httpd_myapp_script_t to connect to 192.168.1.1 port 443, but not any other IP address. This is actually quite common -- an application may need to make a REST call to some site, but it really has no business talking to any other hosts on the net.
# Restrict what things running under php-fpm can access. We're using a # local policy named phpfcgi here because Red Hat's policies include an # alias of httpd_t for phpfpm_t, and if we use that then these rules would # prevent httpd from communicating with clients. -N PHPFPM -A OUTPUT -m selinux --task-ctx system_u:system_r:phpfcgi_t:s0 -j PHPFPM
I should add that the local SELinux policy that I'm using for PHP-FPM is a modified version of prometheanfire's work, which he has previous posted to this list:
https://github.com/prometheanfire/selinux-modules.git
I've renamed the types and added a couple extra allow rules for things that my installation of PHP-FPM needs to be able to do, but none of the modifications are related to restricting network traffic; the magic for that is all in the kernel module and iptables rules.
-- Mark Montague mark@catseye.org