fedora-selinux January 2012 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: adding port restrictions to policy generated

Re: adding port restrictions to policy generated by sepolgen

From: Daniel J Walsh <dwalsh_at_nospam>
Date: Wed Jan 11 2012 - 18:45:55 GMT
To: Mr Dash Four <mr.dash.four@googlemail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/11/2012 12:22 PM, Mr Dash Four wrote:
>
>> Preventing all other domains from connecting to port 2222, is
>> much more difficult.
> No, it's not! I have a very similar setup to what Michael describes
> in his post. This was prompted by a common theme running through
> all Fedora net policies for granting permissions to defined ports
> regardless of whether they are actually used/needed or not,
> including access to all ports - something which I was deeply
> unhappy about, though I accept that selinux-policy(-targeted) is
> not defined just for the set of machines I deploy, but for millions
> of other users, so that's fair enough, I
suppose.
>
> To avoid granting such permissions willy-nilly I redefined two
> aspects of the "default" Fedora policies: I've included a
> definition of a new type called 'pk_type' (instead of the
> "standard" packet_type used) and 'prt_type' (instead of the
> "standard" port_type). There are, generally speaking, 4 files
> responsible for all net policy definitions and further macro
> generation used throughout: corenetwork.te{.in,.m4} as well as
> corenetwork.if{.in,.m4}, so all I had to do is extend these
> definitions for the custom-defined prt_type and pk_type for the
> (custom) ports/packets used on my system (that would be 2222 in
> Michael's case) and that would be that, assuming he also alters the
> policy (or policies) of the domains who need access to this
> particular port - that is
crucial.
>
Sounds good, could you get this upstreamed. My only problem would be
with unconfined_domains, since I am not crazy about confining
something we say is unconfined. Secondly you might want to allow
processes to connect to port 2222 on a different machine but not at
localhost.

>> You might have to turn on seclabel to achieve this. Since there
>> are many domains that are allowed to connect to all ports.
>>
> If seclabel is used, then a simple re-definition of pk_type from
> the "standard" packet_type would be enough. A word of warning
> though: "packet_type" is a parent of "server_packet_type" and
> "client_packet_type", so these types would also need to be
> redefined in order for packet_type restrictions to be useful. Also,
> simply redefining server_packet_type or client_packet_type won't be
> enough because I found that there are domains with "grant"
> permissions to the base
"packet_type".
>

Yes I have changed some of this handling in Fedora but not upstreamed
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8N2OMACgkQrlYvE4MpobOUIgCgix7jDjz2PaxK/CR1wFPNRu2i
xeMAoOvBYQOyk0H5AVMGLJBaO6wNIQ61
=mQiK
-----END PGP SIGNATURE-----
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux