Firewall rules using SELinux context (Was Re: RFE: FireKit)

Casey Dahlin cdahlin at redhat.com
Fri Jul 24 20:56:51 UTC 2009


On 07/24/2009 04:44 PM, Steve Grubb wrote:
> On Friday 24 July 2009 03:47:51 pm Casey Dahlin wrote:
>> A couple of mentions of SELinux have cropped up in the FireKit thread,
>> which got me thinking about the Firewall and SELinux and ways in which they
>> are similar. I had the following thought:
>>
>> SELinux already has a lot of policy information from which we might like to
>> determine whether ports should be open to a particular program.
> 
> Just because selinux has policy doesn't mean the app is installed.
> 

If the app is not installed nothing is running in its context, so none of the rules will ever trigger.

> 
>> The simplest mechanism I can see for doing that is to allow SELinux context
>> to be referenced in the firewall rules. This prevents either system from
>> having to be grotesquely modified.
>>
>> An example rule might look like this:
>>
>> -A INPUT -Z apache_t -j ACCEPT
>>
>> Here we tell the firewall to allow incoming traffic that will be
>> intercepted in userspace by a process in the apache_t context.
> 
> I don't like this. Its not tying to any port. For example, suppose there is a 
> vulnerability in cups and apache is not running, the cups app could start 
> listening on other ports and the rule would allow connections.
> 

Only if cups were running in the apache_t context.

You seem to not quite be getting what I'm saying. What is it you expect that rule /does/ accomplish if not prevent the situation you describe?

--CJD




More information about the fedora-devel-list mailing list