Thank you for your reply Lukas,
This seems like what I was looking for.
So without removing all the unconfined users and processes I cannot
restrict it. I see SELinux policies have only allow and not deny.
I wanted something like "deny all domains access to port X except for
domain Y". From what I understand this is impossible, I need to check
all the other processes's domains and make them more restrictive.
Andrei
On 01/05/2016 07:00 PM, Lukas Vrabec wrote:
On 01/05/2016 11:40 AM, Lukas Vrabec wrote:
> On 01/02/2016 04:59 PM, Andrei Cristian Petcu wrote:
> Hi Andrei!
>> Hello,
>>
>> Not sure if this is the best place for n00b questions but here we go:
>>
>> How can I restrict a port to only a process?
> Yes,
> You could label specific port (like: network_port(foo, tcp,2345,s0) )[1]
> and create SELinux policy for your daemon(with label foo_t).
> In this policy you'll add the allow rule to listen just on specified
> port by you(like: corenet_tcp_bind_foo_port(foo_t) ).
> Now, process foo_t can listen on port labeled as foo_port_t. Which is
> what you want.
>> Let's say I have FOO process that wants to listen to port 2345 and no
>> other process on the machine to listen to it. Is it possible? The way I
>> see it is that unconfined processes would still have access to that
>> port, right?
> You can use confined users and disable unconfined SELinux module to
> avoid unconfined processes on your system[2].
>> My actual problem is that I want to make a mutual TLS connection between
>> 2 unsecured apps that I am not a developer of. The apps (client/server)
>> use a TCP based protocol that is not text based or related to HTTP. So I
>> start a TLS tunel with stunel that listens to 2345 on localhost and
>> forwards it to remote_machine port 2345. I want to be certain that other
>> process can connect to localhost:2345 except my FOO process.
>>
>> foo_process ---> localhost:2345 ===> remote_machine:2345
>>
>> ---> is insecure and I want to restrict
>> ===> is mutual TLS over the network
>>
>> Is this possible? Is this a good solution?
>>
>> Thank you,
>> Andrei Petcu
>>
>>
>>
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>>
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
>>
> [1]
>
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy...
>
>
> [2]
>
https://docs.fedoraproject.org/en-US/Fedora/22/html/SELinux_Users_and_Adm...
>
>
> Regards,
> Lukas.
>
> --
> Lukas Vrabec
> SELinux Solutions
> Red Hat, Inc.
>
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
>
>
Another way without recompiling distro policy package is following:
In your policy for your daemon you define foo_port_t like:
policy_module(foo, 1.0.0)
...
...
type foo_t;
type foo_port_t;
corenet_port(foo_port_t)
allow foo_t foo_port_t:tcp_socket name_bind;
This create label for port you need to specified.
Then using semanage tool add port type and number to port label like:
# semanage port -a -t foo_port_t -p tcp 2345
Lukas.