Re: filtering outgoing packets with SELinux and iptables

All of lore.kernel.org
 help / color / mirror / Atom feed

* Re: filtering outgoing packets with SELinux and iptables
       [not found]   ` <5267E847.8040309@catseye.org>
@ 2013-10-23 17:59     ` Daniel J Walsh
  0 siblings, 0 replies; only message in thread
From: Daniel J Walsh @ 2013-10-23 17:59 UTC (permalink / raw)
  To: Mark Montague, selinux, SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/23/2013 11:16 AM, Mark Montague wrote:
> On October 23, 2013 11:00 , Mark Montague <mark@catseye.org> wrote:
>> On October 23, 2013 10:28 , Konstantin Ryabitsev <icon@fedoraproject.org>
>> wrote:
>>> I would like to be able to only allow httpd_myapp_script_t to connect
>>> to 192.168.1.1 port 443, but not any other IP address. This is actually
>>> quite common -- an application may need to make a REST call to some
>>> site, but it really has no business talking to any other hosts on the
>>> net.
>> 
>> # Restrict what things running under php-fpm can access.  We're using a #
>> local policy named phpfcgi here because Red Hat's policies include an #
>> alias of httpd_t for phpfpm_t, and if we use that then these rules would 
>> # prevent httpd from communicating with clients. -N PHPFPM -A OUTPUT -m
>> selinux --task-ctx system_u:system_r:phpfcgi_t:s0 -j PHPFPM
> 
> I should add that the local SELinux policy that I'm using for PHP-FPM is a 
> modified version of prometheanfire's work, which he has previous posted to
> this list:
> 
> https://github.com/prometheanfire/selinux-modules.git
> 
> I've renamed the types and added a couple extra allow rules for things that
> my installation of PHP-FPM needs to be able to do, but none of the
> modifications are related to restricting network traffic; the magic for
> that is all in the kernel module and iptables rules.
> 
> 
> -- Mark Montague mark@catseye.org -- selinux mailing list 
> selinux@lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
It is better that these types of questions go to the upstream SELinux list
<selinux@tycho.nsa.gov>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJoDmYACgkQrlYvE4MpobOUZwCgp2J9uCiby7hpgdCJ6l+V4IjB
0e0An22kxst8CQsk70mqcftxUyBKmjKi
=/b1Z
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2013-10-23 18:32 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <CADM6DBaR5oqiNNPwneaoWPSkTaqKk8NnK5ZfsrLWgOquyk40Uw@mail.gmail.com>
     [not found] ` <5267E47B.5010401@catseye.org>
     [not found]   ` <5267E847.8040309@catseye.org>
2013-10-23 17:59     ` filtering outgoing packets with SELinux and iptables Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.