Limiting IPC with SELinux?

Stephen Smalley sds at tycho.nsa.gov
Thu Apr 14 21:31:16 UTC 2005 

On Thu, 2005-04-14 at 16:33 -0400, Steve Brueckner wrote:
> I need to lock down the local interprocess communications (sockets, pipes,
> shared memory...) for a few untrusted applications under the targeted
> policy.  For example, I want to write policies for Mozilla and Eclipse such
> that Eclipse may connect to Mozilla's tcp socket 80 via loopback, but
> Eclipse may not connect to any other process's tcp socket 80 via loopback.
> Same thing goes for other methods of IPC.  

You mean apache rather than mozilla, right?

> I suspect this means I have to figure out how to label sockets and the like
> with special contexts as they are created.  Am I on the right track here?
> If so, how would I adjust my policies to label these IPC resources on a
> per-process basis?  Or is this not do-able with SELinux?  

You can control network communication (loopback or otherwise) via the
permission checks between the sending socket security context and the
security contexts of the network interface, the destination host, and
the destination port.  These are the netif and node tcp_send permissions
and the tcp_socket send_msg permission.  Sockets are labeled in
accordance with the creating process, so you just need to define a
domain for eclipse.
  
> What I'm proposing here is a little more involved than most of the SELinux
> documentation I've found online, so any good resources would be appreciated.
> Of course, the more that is spelled out for me in a direct reply the bigger
> my head start 
> will be.  At this point I don't even know where to begin.

Possible resources:
The RHEL4 SELinux Guide, 
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
- Understanding and Customizing the Apache HTTP SELinux Policy, 
http://fedora.redhat.com/docs/selinux-apache-fc3/
- Sourceforge SELinux HOWTOs
http://sourceforge.net/docman/?group_id=21266
- SELinux: NSA's Open Source Security Enhanced Linux by Bill McCarty,
http://www.oreilly.com/catalog/selinux/
- Tresys Technology Policy Writing Course Slides,
http://www.tresys.com/selinux/selinux-course-outline.html
- Configuring the SELinux Policy,
http://www.nsa.gov/selinux/papers/policy2-abs.cfm

-- 
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency

More information about the fedora-selinux-list mailing list