Hello,
Not sure if this is the best place for n00b questions but here we go:
How can I restrict a port to only a process? Let's say I have FOO process that wants to listen to port 2345 and no other process on the machine to listen to it. Is it possible? The way I see it is that unconfined processes would still have access to that port, right?
My actual problem is that I want to make a mutual TLS connection between 2 unsecured apps that I am not a developer of. The apps (client/server) use a TCP based protocol that is not text based or related to HTTP. So I start a TLS tunel with stunel that listens to 2345 on localhost and forwards it to remote_machine port 2345. I want to be certain that other process can connect to localhost:2345 except my FOO process.
foo_process ---> localhost:2345 ===> remote_machine:2345
---> is insecure and I want to restrict ===> is mutual TLS over the network
Is this possible? Is this a good solution?
Thank you, Andrei Petcu
On 01/02/2016 04:59 PM, Andrei Cristian Petcu wrote: Hi Andrei!
Hello,
Not sure if this is the best place for n00b questions but here we go:
How can I restrict a port to only a process?
Yes, You could label specific port (like: network_port(foo, tcp,2345,s0) )[1] and create SELinux policy for your daemon(with label foo_t). In this policy you'll add the allow rule to listen just on specified port by you(like: corenet_tcp_bind_foo_port(foo_t) ). Now, process foo_t can listen on port labeled as foo_port_t. Which is what you want.
Let's say I have FOO process that wants to listen to port 2345 and no other process on the machine to listen to it. Is it possible? The way I see it is that unconfined processes would still have access to that port, right?
You can use confined users and disable unconfined SELinux module to avoid unconfined processes on your system[2].
My actual problem is that I want to make a mutual TLS connection between 2 unsecured apps that I am not a developer of. The apps (client/server) use a TCP based protocol that is not text based or related to HTTP. So I start a TLS tunel with stunel that listens to 2345 on localhost and forwards it to remote_machine port 2345. I want to be certain that other process can connect to localhost:2345 except my FOO process.
foo_process ---> localhost:2345 ===> remote_machine:2345
---> is insecure and I want to restrict ===> is mutual TLS over the network
Is this possible? Is this a good solution?
Thank you, Andrei Petcu
-- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
[1] https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mo...
[2] https://docs.fedoraproject.org/en-US/Fedora/22/html/SELinux_Users_and_Admini...
Regards, Lukas.
On 01/05/2016 11:40 AM, Lukas Vrabec wrote:
On 01/02/2016 04:59 PM, Andrei Cristian Petcu wrote: Hi Andrei!
Hello,
Not sure if this is the best place for n00b questions but here we go:
How can I restrict a port to only a process?
Yes, You could label specific port (like: network_port(foo, tcp,2345,s0) )[1] and create SELinux policy for your daemon(with label foo_t). In this policy you'll add the allow rule to listen just on specified port by you(like: corenet_tcp_bind_foo_port(foo_t) ). Now, process foo_t can listen on port labeled as foo_port_t. Which is what you want.
Let's say I have FOO process that wants to listen to port 2345 and no other process on the machine to listen to it. Is it possible? The way I see it is that unconfined processes would still have access to that port, right?
You can use confined users and disable unconfined SELinux module to avoid unconfined processes on your system[2].
My actual problem is that I want to make a mutual TLS connection between 2 unsecured apps that I am not a developer of. The apps (client/server) use a TCP based protocol that is not text based or related to HTTP. So I start a TLS tunel with stunel that listens to 2345 on localhost and forwards it to remote_machine port 2345. I want to be certain that other process can connect to localhost:2345 except my FOO process.
foo_process ---> localhost:2345 ===> remote_machine:2345
---> is insecure and I want to restrict ===> is mutual TLS over the network
Is this possible? Is this a good solution?
Thank you, Andrei Petcu
-- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
[1] https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mo...
[2] https://docs.fedoraproject.org/en-US/Fedora/22/html/SELinux_Users_and_Admini...
Regards, Lukas.
-- Lukas Vrabec SELinux Solutions Red Hat, Inc.
-- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Another way without recompiling distro policy package is following: In your policy for your daemon you define foo_port_t like:
policy_module(foo, 1.0.0) ... ...
type foo_t;
type foo_port_t; corenet_port(foo_port_t)
allow foo_t foo_port_t:tcp_socket name_bind;
This create label for port you need to specified. Then using semanage tool add port type and number to port label like: # semanage port -a -t foo_port_t -p tcp 2345
Lukas.
Thank you for your reply Lukas, This seems like what I was looking for.
So without removing all the unconfined users and processes I cannot restrict it. I see SELinux policies have only allow and not deny. I wanted something like "deny all domains access to port X except for domain Y". From what I understand this is impossible, I need to check all the other processes's domains and make them more restrictive.
Andrei
On 01/05/2016 07:00 PM, Lukas Vrabec wrote:
On 01/05/2016 11:40 AM, Lukas Vrabec wrote:
On 01/02/2016 04:59 PM, Andrei Cristian Petcu wrote: Hi Andrei!
Hello,
Not sure if this is the best place for n00b questions but here we go:
How can I restrict a port to only a process?
Yes, You could label specific port (like: network_port(foo, tcp,2345,s0) )[1] and create SELinux policy for your daemon(with label foo_t). In this policy you'll add the allow rule to listen just on specified port by you(like: corenet_tcp_bind_foo_port(foo_t) ). Now, process foo_t can listen on port labeled as foo_port_t. Which is what you want.
Let's say I have FOO process that wants to listen to port 2345 and no other process on the machine to listen to it. Is it possible? The way I see it is that unconfined processes would still have access to that port, right?
You can use confined users and disable unconfined SELinux module to avoid unconfined processes on your system[2].
My actual problem is that I want to make a mutual TLS connection between 2 unsecured apps that I am not a developer of. The apps (client/server) use a TCP based protocol that is not text based or related to HTTP. So I start a TLS tunel with stunel that listens to 2345 on localhost and forwards it to remote_machine port 2345. I want to be certain that other process can connect to localhost:2345 except my FOO process.
foo_process ---> localhost:2345 ===> remote_machine:2345
---> is insecure and I want to restrict ===> is mutual TLS over the network
Is this possible? Is this a good solution?
Thank you, Andrei Petcu
-- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
[1] https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mo...
[2] https://docs.fedoraproject.org/en-US/Fedora/22/html/SELinux_Users_and_Admini...
Regards, Lukas.
-- Lukas Vrabec SELinux Solutions Red Hat, Inc.
-- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Another way without recompiling distro policy package is following: In your policy for your daemon you define foo_port_t like:
policy_module(foo, 1.0.0) ... ...
type foo_t;
type foo_port_t; corenet_port(foo_port_t)
allow foo_t foo_port_t:tcp_socket name_bind;
This create label for port you need to specified. Then using semanage tool add port type and number to port label like: # semanage port -a -t foo_port_t -p tcp 2345
Lukas.
On 01/12/2016 07:03 PM, Andrei Cristian Petcu wrote:
Thank you for your reply Lukas, This seems like what I was looking for.
So without removing all the unconfined users and processes I cannot restrict it. I see SELinux policies have only allow and not deny.
Policy logic is what is *not* allowed is denies by default. But you can use neverallow rules. This kind of rule never allow specific rule, even you allowing this somewhere in policy. You can try this. But I prefer using confined users on your system.
I wanted something like "deny all domains access to port X except for domain Y". From what I understand this is impossible, I need to check all the other processes's domains and make them more restrictive.
Andrei
On 01/05/2016 07:00 PM, Lukas Vrabec wrote:
On 01/05/2016 11:40 AM, Lukas Vrabec wrote:
On 01/02/2016 04:59 PM, Andrei Cristian Petcu wrote: Hi Andrei!
Hello,
Not sure if this is the best place for n00b questions but here we go:
How can I restrict a port to only a process?
Yes, You could label specific port (like: network_port(foo, tcp,2345,s0) )[1] and create SELinux policy for your daemon(with label foo_t). In this policy you'll add the allow rule to listen just on specified port by you(like: corenet_tcp_bind_foo_port(foo_t) ). Now, process foo_t can listen on port labeled as foo_port_t. Which is what you want.
Let's say I have FOO process that wants to listen to port 2345 and no other process on the machine to listen to it. Is it possible? The way I see it is that unconfined processes would still have access to that port, right?
You can use confined users and disable unconfined SELinux module to avoid unconfined processes on your system[2].
My actual problem is that I want to make a mutual TLS connection between 2 unsecured apps that I am not a developer of. The apps (client/server) use a TCP based protocol that is not text based or related to HTTP. So I start a TLS tunel with stunel that listens to 2345 on localhost and forwards it to remote_machine port 2345. I want to be certain that other process can connect to localhost:2345 except my FOO process.
foo_process ---> localhost:2345 ===> remote_machine:2345
---> is insecure and I want to restrict ===> is mutual TLS over the network
Is this possible? Is this a good solution?
Thank you, Andrei Petcu
-- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
[1] https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mo...
[2] https://docs.fedoraproject.org/en-US/Fedora/22/html/SELinux_Users_and_Admini...
Regards, Lukas.
-- Lukas Vrabec SELinux Solutions Red Hat, Inc.
-- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Another way without recompiling distro policy package is following: In your policy for your daemon you define foo_port_t like:
policy_module(foo, 1.0.0) ... ...
type foo_t;
type foo_port_t; corenet_port(foo_port_t)
allow foo_t foo_port_t:tcp_socket name_bind;
This create label for port you need to specified. Then using semanage tool add port type and number to port label like: # semanage port -a -t foo_port_t -p tcp 2345
Lukas.
-- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Regards, Lukas.
On 01/12/2016 09:29 PM, Lukas Vrabec wrote:
On 01/12/2016 07:03 PM, Andrei Cristian Petcu wrote:
Thank you for your reply Lukas, This seems like what I was looking for.
So without removing all the unconfined users and processes I cannot restrict it. I see SELinux policies have only allow and not deny.
Policy logic is what is *not* allowed is denies by default. But you can use neverallow rules. This kind of rule never allow specific rule, even you allowing this somewhere in policy. You can try this.
Sorry, after some discussion with plautrba, this will not work. Use confined users instead.
But I prefer
using confined users on your system.
I wanted something like "deny all domains access to port X except for domain Y". From what I understand this is impossible, I need to check all the other processes's domains and make them more restrictive.
Andrei
On 01/05/2016 07:00 PM, Lukas Vrabec wrote:
On 01/05/2016 11:40 AM, Lukas Vrabec wrote:
On 01/02/2016 04:59 PM, Andrei Cristian Petcu wrote: Hi Andrei!
Hello,
Not sure if this is the best place for n00b questions but here we go:
How can I restrict a port to only a process?
Yes, You could label specific port (like: network_port(foo, tcp,2345,s0) )[1] and create SELinux policy for your daemon(with label foo_t). In this policy you'll add the allow rule to listen just on specified port by you(like: corenet_tcp_bind_foo_port(foo_t) ). Now, process foo_t can listen on port labeled as foo_port_t. Which is what you want.
Let's say I have FOO process that wants to listen to port 2345 and no other process on the machine to listen to it. Is it possible? The way I see it is that unconfined processes would still have access to that port, right?
You can use confined users and disable unconfined SELinux module to avoid unconfined processes on your system[2].
My actual problem is that I want to make a mutual TLS connection between 2 unsecured apps that I am not a developer of. The apps (client/server) use a TCP based protocol that is not text based or related to HTTP. So I start a TLS tunel with stunel that listens to 2345 on localhost and forwards it to remote_machine port 2345. I want to be certain that other process can connect to localhost:2345 except my FOO process.
foo_process ---> localhost:2345 ===> remote_machine:2345
---> is insecure and I want to restrict ===> is mutual TLS over the network
Is this possible? Is this a good solution?
Thank you, Andrei Petcu
-- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
[1] https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mo...
[2] https://docs.fedoraproject.org/en-US/Fedora/22/html/SELinux_Users_and_Admini...
Regards, Lukas.
-- Lukas Vrabec SELinux Solutions Red Hat, Inc.
-- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Another way without recompiling distro policy package is following: In your policy for your daemon you define foo_port_t like:
policy_module(foo, 1.0.0) ... ...
type foo_t;
type foo_port_t; corenet_port(foo_port_t)
allow foo_t foo_port_t:tcp_socket name_bind;
This create label for port you need to specified. Then using semanage tool add port type and number to port label like: # semanage port -a -t foo_port_t -p tcp 2345
Lukas.
-- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Regards, Lukas.
Thank you. That's what I understood from the documentation and I wanted to make sure I got it right. It is actually more logical this way, especially with tools like audit2allow.
Andrei
On January 12, 2016 11:36:38 PM GMT+02:00, Lukas Vrabec lvrabec@redhat.com wrote:
On 01/12/2016 09:29 PM, Lukas Vrabec wrote:
On 01/12/2016 07:03 PM, Andrei Cristian Petcu wrote:
Thank you for your reply Lukas, This seems like what I was looking for.
So without removing all the unconfined users and processes I cannot restrict it. I see SELinux policies have only allow and not deny.
Policy logic is what is *not* allowed is denies by default. But you
can
use neverallow rules. This kind of rule never allow specific rule,
even
you allowing this somewhere in policy. You can try this.
Sorry, after some discussion with plautrba, this will not work. Use confined users instead.
But I prefer
using confined users on your system.
I wanted something like "deny all domains access to port X except
for
domain Y". From what I understand this is impossible, I need to
check
all the other processes's domains and make them more restrictive.
Andrei
On 01/05/2016 07:00 PM, Lukas Vrabec wrote:
On 01/05/2016 11:40 AM, Lukas Vrabec wrote:
On 01/02/2016 04:59 PM, Andrei Cristian Petcu wrote: Hi Andrei!
Hello,
Not sure if this is the best place for n00b questions but here we
go:
How can I restrict a port to only a process?
Yes, You could label specific port (like: network_port(foo,
tcp,2345,s0)
)[1] and create SELinux policy for your daemon(with label foo_t). In this policy you'll add the allow rule to listen just on
specified
port by you(like: corenet_tcp_bind_foo_port(foo_t) ). Now, process foo_t can listen on port labeled as foo_port_t. Which
is
what you want.
Let's say I have FOO process that wants to listen to port 2345
and no
other process on the machine to listen to it. Is it possible? The way I see it is that unconfined processes would still have access to
that
port, right?
You can use confined users and disable unconfined SELinux module
to
avoid unconfined processes on your system[2].
My actual problem is that I want to make a mutual TLS connection between 2 unsecured apps that I am not a developer of. The apps (client/server) use a TCP based protocol that is not text based or related to
HTTP.
So I start a TLS tunel with stunel that listens to 2345 on localhost
and
forwards it to remote_machine port 2345. I want to be certain
that
other process can connect to localhost:2345 except my FOO process.
foo_process ---> localhost:2345 ===> remote_machine:2345
---> is insecure and I want to restrict ===> is mutual TLS over the network
Is this possible? Is this a good solution?
Thank you, Andrei Petcu
-- selinux mailing list selinux@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
[1]
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mo...
[2]
https://docs.fedoraproject.org/en-US/Fedora/22/html/SELinux_Users_and_Admini...
Regards, Lukas.
-- Lukas Vrabec SELinux Solutions Red Hat, Inc.
-- selinux mailing list selinux@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Another way without recompiling distro policy package is following: In your policy for your daemon you define foo_port_t like:
policy_module(foo, 1.0.0) ... ...
type foo_t;
type foo_port_t; corenet_port(foo_port_t)
allow foo_t foo_port_t:tcp_socket name_bind;
This create label for port you need to specified. Then using semanage tool add port type and number to port label
like:
# semanage port -a -t foo_port_t -p tcp 2345
Lukas.
-- selinux mailing list selinux@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Regards, Lukas.
-- Lukas Vrabec SELinux Solutions Red Hat, Inc. -- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
selinux@lists.fedoraproject.org