Firewall rules using SELinux context (Was Re: RFE: FireKit)
Steve Grubb
sgrubb at redhat.com
Fri Jul 24 20:55:23 UTC 2009
On Friday 24 July 2009 04:56:51 pm Casey Dahlin wrote:
> > Just because selinux has policy doesn't mean the app is installed.
>
> If the app is not installed nothing is running in its context, so none of
> the rules will ever trigger.
If the attacker can work out the chain of allowed transitions, they can enter
that context.
> >> The simplest mechanism I can see for doing that is to allow SELinux
> >> context to be referenced in the firewall rules. This prevents either
> >> system from having to be grotesquely modified.
> >>
> >> An example rule might look like this:
> >>
> >> -A INPUT -Z apache_t -j ACCEPT
> >>
> >> Here we tell the firewall to allow incoming traffic that will be
> >> intercepted in userspace by a process in the apache_t context.
> >
> > I don't like this. Its not tying to any port. For example, suppose there
> > is a vulnerability in cups and apache is not running, the cups app could
> > start listening on other ports and the rule would allow connections.
>
> Only if cups were running in the apache_t context.
I don't think I explained it well. I was thinking what if you had this rule:
-A INPUT -Z cups_t -j ACCEPT
and then cups was compromised and started listening on port 80. Since the
above rule has no port restrictions and cups is allowed to accept connections,
would cups now be able to start serving web pages?
-Steve
More information about the fedora-devel-list
mailing list