[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Limiting IPC with SELinux?

My understanding of the inner workings of SELinux is fairly limited, so
please speak slowly to me.  I'm getting the hang of basic file and device
access, but I'm not so good with the other resources SELinux controls.

I need to lock down the local interprocess communications (sockets, pipes,
shared memory...) for a few untrusted applications under the targeted
policy.  For example, I want to write policies for Mozilla and Eclipse such
that Eclipse may connect to Mozilla's tcp socket 80 via loopback, but
Eclipse may not connect to any other process's tcp socket 80 via loopback.
Same thing goes for other methods of IPC.  

I suspect this means I have to figure out how to label sockets and the like
with special contexts as they are created.  Am I on the right track here?
If so, how would I adjust my policies to label these IPC resources on a
per-process basis?  Or is this not do-able with SELinux?  

What I'm proposing here is a little more involved than most of the SELinux
documentation I've found online, so any good resources would be appreciated.
Of course, the more that is spelled out for me in a direct reply the bigger
my head start 
will be.  At this point I don't even know where to begin.

By the way, is the Fedora list or the NSA list more appropriate for this
sort of question?  I hate to double-post, but I want good exposure.


Stephen Brueckner, ATC-NY

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]