Book Image

SELinux Cookbook

By : Sven Vermeulen
Book Image

SELinux Cookbook

By: Sven Vermeulen

Overview of this book

Table of Contents (17 chapters)
SELinux Cookbook
Credits
About the Author
About the Reviewers
www.PacktPub.com
Preface
Index

Governing application network access


On Linux systems, iptables (and more recently, nftables) is the de facto host-based firewall technology. Administrators will undoubtedly use it to prevent access to a service from unauthorized systems. We can also use iptables to identify and label network packets, allowing only authorized applications (domains) to send or receive those network packets.

By default, the SELinux policy supports client and server packets and allows the usual domains access to their client and/or server packets. For instance, the web server domains (such as httpd_t) will have the privileges to send and receive http_server_packet_t packets:

allow httpd_t http_server_packet_t:packet { send recv };

This is provided through the corenet_sendrecv_http_server_packets interface. Enabling packet labeling is simply done using iptables as will be shown through this recipe. But to properly govern network access, custom packet types will need to be created to ensure that no default allowed...