Re: ipsec, netlabels, secmark- How about a little usability?

[James Antill <jantill@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 1614 bytes --]

On Thu, 2006-09-14 at 09:50 -0400, Joshua Brindle wrote:
> Daniel J Walsh wrote:
> > 1.  By default httpd has to be able to talk to itself in order to do 
> > gracefull shutdown,
> > service httpd graceful.
> >
> > So I end up adding a rule allowing httpd to name_connect to the 
> > httpd_port_t.    But I really only want to allow this for localhost.  
> > IE I don't want to allow my httpd to name_connect to other machines 
> > httpd ports?  I can't do this now.
> >
> you can with secmark can't you?
> iptables -I -p tcp -d localhost -s localhost -i lo --dport 80 -j SECMARK 
> --selctx system_u:object_r:httpd_client_packet_t

 This one rule, both allows httpd_t to connect to localhost:80 and
disallows it from connecting to anything-else:80 ?

 From the documentation --selctx just sets the "SELinux security
context" ... so you presumably _also_ need some bit of policy code that
says "httpd_t can only name_bind(?) with httpd_client_packet_t"?

> > 2.  I as a sysadm have setup a apache web site that allows connections 
> > from the outside and needs to connect to three mysql servers on my 
> > internal network. So I need to allow it to connect to those three 
> > machines on the internal network only.  How am I as the Sysadm going 
> > to set this up.
> >
> again, secmark

 Err, no. The requirement here is that:

1. httpd_t on one machine is only allowed to connect to mysqld_t(?) on
one of these 3 machines.

...AIUI secmark doesn't know the label of the proc. on the other
machines, even when using ipsec/netlabel.

-- 
James Antill <jantill@redhat.com>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]