fedora-selinux January 2012 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: adding port restrictions to policy generated

Re: adding port restrictions to policy generated by sepolgen

From: Daniel J Walsh <dwalsh_at_nospam>
Date: Wed Jan 11 2012 - 16:16:51 GMT
To: Michael Atighetchi <matighet@bbn.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/11/2012 07:54 AM, Michael Atighetchi wrote:
> Hi,
>
> I have a question about how to restrict network access via
> SELinux.I generated a policy via sepolgen on Fedora 14, and there
> are some network specific rules and macros in it, for example:
>
> corenet_tcp_bind_generic_node(CZtp_t)
> corenet_tcp_connect_postgresql_port(CZtp_t)
> corenet_tcp_connect_vnc_port(CZtp_t)
> corenet_udp_bind_generic_node(CZtp_t)
>
> allow CZtp_t self:tcp_socket { setopt read bind create accept
> write getattr connect shutdown getopt listen }; allow CZtp_t
> self:udp_socket { setopt read bind create ioctl write getattr
> connect getopt };
>
> Here is what I would like to change 1) Restrict privs so that the
> process can only bind to a specific custom port, e.g., 2222
> (controlled by my app) 2) Restrict privs so that the only processes
> on the local machine allowed to connect to this port is in the same
> domain as the process who created the listening socket (same policy
> as above)
>
> Is this doable?
>
Creating a daemon that can only bind to port 2222 is very doable.

sepolgen only will setup a framework to write policy, it can not
handle all situations. (selinux-polgengui, can handle this one BTW).

http://danwalsh.livejournal.com/10607.html

Explains how to do this.

Preventing all other domains from connecting to port 2222, is much
more difficult. You might have to turn on seclabel to achieve this.
Since there are many domains that are allowed to connect to all ports.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8NtfMACgkQrlYvE4MpobMAxwCfSILoTsa6lv9tP8c535BjC7oq
vFMAoJ66IvlQ+4aMR0QomQ3FWpJpMdmM
=1aMM
-----END PGP SIGNATURE-----
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux