SELinux: Ограничить httpd исходящие соединения адресом и портом?
1 ответ
The following SELinux policy will be needed to set this up. NOTE: I assume here that the ajp_port_t type does not actually exist on the system currently.
policy_module(myhttpd, 1.0.0)
gen_require(`
type httpd_t;
')
type ajp_packet_t;
corenet_packet(ajp_packet_t)
type ajp_port_t;
corenet_port(ajp_port_t)
allow httpd_t ajp_port_t:tcp_socket { client_stream_socket_perms name_connect };
allow httpd_t ajp_port_t:packet { flow_in flow_out forward_in forward_out recv send };
Follow this up by the command
semanage port -a -t ajp_port_t -p tcp 9010
To manage the address, thats somewhat more complicated. And your liable to possibly cause the box to stop responding over the network! So be warned.
For this, you'll need this policy module, it permits all domains to send/recv unlabelled packets. If you dont do this first you can lose network because by default nearly all domains have no permissions to send / recv unlabelled packets!
policy_module(unconfined_packets, 1.0.0)
require {
attribute domain;
type unlabeled_t;
}
gen_tunable(allow_unlabeled_packets, `true');
tunable_policy(allow_unlabeled_packets, `
allow domain unlabeled_t:packet { flow_in flow_out forward_in forward_out recv send };
')
You then must mark the packets inbound and outbound from that host using iptables.
iptables -I INPUT -p tcp --sport 9010 -s <src_addr> -j SECMARK --selctx system_u:object_r:ajp_packet_t
iptables -I OUTPUT -p tcp --dport 9010 -d <dst_addr> -j SECMARK --selctx system_u:object_r:ajp_packet_t
iptables -A INPUT -j CONNSECMARK --restore
iptables -A OUTPUT -j CONNSECMARK --save
6