fedora-selinux March 2011 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: Restrict httpd network connections to a spec

Re: Restrict httpd network connections to a specific network interface?

From: Dominick Grift <domg472_at_nospam>
Date: Sun Mar 13 2011 - 18:18:23 GMT
To: selinux@lists.fedoraproject.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/13/2011 07:15 PM, Mark Montague wrote:
> On March 11, 2011 13:38 , Dominick Grift <domg472@gmail.com> wrote:
>> On 03/11/2011 07:08 PM, Mark Montague wrote:
>>> Fedora 14, httpd is working correctly, however the
>>> httpd_can_network_connect boolean grants more access than I want. I'd
>>> like httpd to be able to open connections on any port, but only via a
>>> specific network interface (lo0) and no others (eth0, etc.), while still
>>> accepting HTTP connections on all interfaces.
>>>
>>>
>>>
>>>
>>> So you could maybe declare one or more new network interface object types.
>>>
>>> label your network interfaces with the new types using semanage interface
>>>
>>> then use the tcp_send tcp_recv egress ingress permissions to achieve
>>> what you want ( i am guessing you can use egress / ingress to allow
>>> input /output)
>
> Thanks for the reply, Dominic. I added the following as a local module:
>
> type loopbackif_t;
> allow httpd_t loopbackif_t : netif {tcp_send tcp_recv egress ingress };
> allow httpd_sys_script_t loopbackif_t : netif {tcp_send tcp_recv egress
> ingress};
>
> And then ran:
>
> semanage interface -a -t loopbackif_t lo
>
> Unfortunately, the result is the same as for labeling packets on the
> interface: No traffic is allowed through because httpd does not have
> permission for name_connect. And if I add a rule to permit this
> (equivalent to setting the httpd_can_network_connect boolean) then httpd
> can connect via ALL interfaces, not just via the loopback interface.

Yes but can it also use the connection? I mean if it can name_connect
but not really use the connection because it cant egress, ingress or
whatever then you may be able to achieve your goals also.

not sure though.

> Does anyone have any other ideas or suggestions? In the meantime, I'll
> investigate whether it might be possible to change the targeted policy
> for httpd to use only packet labels for controlling network traffic
> instead of limiting system calls and ports.
>
> --
> Mark Montague
> mark@catseye.org
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk19Cm8ACgkQMlxVo39jgT979wCfV+GmwAfFRRQ3LVaR7QVDLBsY
qpcAoK+ccfrKmseIWRgGLq/kyKJ/QDNw
=Cj7h
-----END PGP SIGNATURE-----
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux