Firewall rules using SELinux context (Was Re: RFE: FireKit)

[Roland McGrath]

It sounds like something that looks at an SELinux policy's rules for SECMARK
and generates corresponding iptables rules would amount to the same thing
you have in mind.  Since you load new SELinux policy in a big static-switch
sort of way, it doesn't seem much different in a way you could discern whether
you actually have the firewall driven off the AVC stuff "dynamically" or if
you just "statically" generate a set of firewall rules based on SELinux policy.

I suppose you could just integrate this into iptables userland so that the
"-Z" syntax you suggested would just look up current SELinux policy for
everything with that label and generate corresponding rules, though you
might want those rules marked somehow so that that a policy reload
automagically regenerated them.  OTOH, it seems fine enough to me to just
leave that in scriptland, so "service iptables reload" recomputes from the
current SELinux policy, and maybe the normal ways to install a policy change
do that automatically.

Perhaps the difference is that you have the firewall ports open even when
nothing running has those ports bound.  Actually, I'm not sure if that
wouldn't have been true with what you suggested anyway.  A lax SELinux
policy might be allowing anyone to bind to the SECMARK labels for those
ports, not just the daemon you have in mind.  (i.e. the targeted policy
uses SECMARK to constrain that daemon to binding only those particular
ports, but doesn't prevent random unconstrained_t processes from binding
them.)


Thanks,
Roland