fedora-selinux January 2012 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: adding port restrictions to policy generated by

adding port restrictions to policy generated by sepolgen

From: Michael Atighetchi <matighet_at_nospam>
Date: Wed Jan 11 2012 - 12:54:32 GMT
To: selinux@lists.fedoraproject.org

Hi,

I have a question about how to restrict network access via SELinux.I
generated a policy via sepolgen on Fedora 14, and there are some network
specific rules and macros in it, for example:

corenet_tcp_bind_generic_node(CZtp_t)
corenet_tcp_connect_postgresql_port(CZtp_t)
corenet_tcp_connect_vnc_port(CZtp_t)
corenet_udp_bind_generic_node(CZtp_t)

allow CZtp_t self:tcp_socket { setopt read bind create accept write
getattr connect shutdown getopt listen };
allow CZtp_t self:udp_socket { setopt read bind create ioctl write
getattr connect getopt };

Here is what I would like to change
1) Restrict privs so that the process can only bind to a specific custom
port, e.g., 2222 (controlled by my app)
2) Restrict privs so that the only processes on the local machine
allowed to connect to this port is in the same domain as the process who
created the listening socket (same policy as above)

Is this doable?

-- Michael Atighetchi Senior Scientist Raytheon BBN Technologies 617-873-1679 matighet@bbn.com -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux