[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Firewall rules using SELinux context (Was Re: RFE: FireKit)
- From: Stephen Smalley <sds tycho nsa gov>
- To: Development discussions related to Fedora <fedora-devel-list redhat com>
- Cc: Daniel Walsh <dwalsh redhat com>
- Subject: Re: Firewall rules using SELinux context (Was Re: RFE: FireKit)
- Date: Fri, 24 Jul 2009 15:53:19 -0400
On Fri, 2009-07-24 at 15:47 -0400, Casey Dahlin wrote:
> A couple of mentions of SELinux have cropped up in the FireKit thread, which got me thinking about the Firewall and SELinux and ways in which they are similar. I had the following thought:
>
> SELinux already has a lot of policy information from which we might like to determine whether ports should be open to a particular program. The simplest mechanism I can see for doing that is to allow SELinux context to be referenced in the firewall rules. This prevents either system from having to be grotesquely modified.
>
> An example rule might look like this:
>
> -A INPUT -Z apache_t -j ACCEPT
>
> Here we tell the firewall to allow incoming traffic that will be intercepted in userspace by a process in the apache_t context.
>
> This does break in at least one way from traditional SELinux policy: something external to SELinux is interpreting the meaning of the context. The firewall rules can change while the actual SELinux policy stays put. I don't know how serious a problem that is (if it is one).
>
> Thoughts?
SECMARK already allows you to label packets using iptables and then use
SELinux policy to control sending or receiving them.
http://paulmoore.livejournal.com/4281.html
There are also the name_connect and name_bind controls that regulate the
ability to connect or bind to specific ports via policy.
--
Stephen Smalley
National Security Agency
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]