On 01/05/2016 11:40 AM, Lukas Vrabec wrote:
On 01/02/2016 04:59 PM, Andrei Cristian Petcu wrote:
Hi Andrei!
> Hello,
>
> Not sure if this is the best place for n00b questions but here we go:
>
> How can I restrict a port to only a process?
Yes,
You could label specific port (like: network_port(foo, tcp,2345,s0) )[1]
and create SELinux policy for your daemon(with label foo_t).
In this policy you'll add the allow rule to listen just on specified
port by you(like: corenet_tcp_bind_foo_port(foo_t) ).
Now, process foo_t can listen on port labeled as foo_port_t. Which is
what you want.
> Let's say I have FOO process that wants to listen to port 2345 and no
> other process on the machine to listen to it. Is it possible? The way I
> see it is that unconfined processes would still have access to that
> port, right?
You can use confined users and disable unconfined SELinux module to
avoid unconfined processes on your system[2].
> My actual problem is that I want to make a mutual TLS connection between
> 2 unsecured apps that I am not a developer of. The apps (client/server)
> use a TCP based protocol that is not text based or related to HTTP. So I
> start a TLS tunel with stunel that listens to 2345 on localhost and
> forwards it to remote_machine port 2345. I want to be certain that other
> process can connect to localhost:2345 except my FOO process.
>
> foo_process ---> localhost:2345 ===> remote_machine:2345
>
> ---> is insecure and I want to restrict
> ===> is mutual TLS over the network
>
> Is this possible? Is this a good solution?
>
> Thank you,
> Andrei Petcu
>
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
[1]
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy...
[2]
https://docs.fedoraproject.org/en-US/Fedora/22/html/SELinux_Users_and_Adm...
Regards,
Lukas.
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Another way without recompiling distro policy package is following:
In your policy for your daemon you define foo_port_t like:
policy_module(foo, 1.0.0)
...
...
type foo_t;
type foo_port_t;
corenet_port(foo_port_t)
allow foo_t foo_port_t:tcp_socket name_bind;
This create label for port you need to specified.
Then using semanage tool add port type and number to port label like:
# semanage port -a -t foo_port_t -p tcp 2345
Lukas.
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.