using selinux to allow only certain hosts or networks

Doug Sikora dsikora at redhat.com
Thu Dec 11 19:44:20 UTC 2008 

thanks Stephen, 

Is there another option for sending/receiving packets ?
In this situation , I would like both.

I did get this information from Forrest (Thanks again Forrest) concerning the base policy. Once I reviewed the source code it wasn't too bad to figure out. It makes a good reference. I am adding it to this thread.

#########BEGIN

To limit this, you have to recompile the base policy package and define
a new node name.

For instance, the inaddr_any_node_t is defined:

type inaddr_any_node_t alias node_inaddr_any_t, node_type;
nodecon 0.0.0.0 255.255.255.255 system_u:object_r:inaddr_any_node_t


Similarly, you could do the same thing for a new type:

type blue_node_t, node_type;
nodecon 10.0.5.1 255.255.255.255 system_u:object_r:blue_node_t

The problem in implementing this, is that you have to have the exact IP
address that will be used in the field.  Also, changing the base policy
means you have to redo this change every time there is a new policy
provided by Red Hat (as an update).

########END



Doug 

----- Original Message -----
From: "Stephen Smalley" <sds at tycho.nsa.gov>
To: "Doug Sikora" <dsikora at redhat.com>
Cc: fedora-selinux-list at redhat.com
Sent: Thursday, December 11, 2008 2:32:48 PM GMT -05:00 US/Canada Eastern
Subject: Re: using selinux to allow only certain hosts or networks

On Tue, 2008-12-09 at 09:15 -0500, Doug Sikora wrote:
> The below rules came from audit2allow,
> 
> allow test_t inaddr_any_node_t:tcp_socket node_bind;
> allow test_t inaddr_any_node_t:udp_socket node_bind;
> 
> Instead of allowing "any_node" I would like to limit this to specific hosts and or networks.
> 
> Does anyone know the syntax for this?

Note that the check above is only dealing with binding to an address,
not sending/receiving packets.  Is binding what you want to limit to
specific addresses?

If so, you need to define types for the addresses (via local policy
module) and map the addresses to those types (via semanage node).

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list