Some servers only accept labeled packets. This can be accomplished by setting the selinux allow_unlabeled_packets boolean off. If you want to connect to such a server than you will have to use properly labeled packets or else the packets will be denied. To label traffic on for example port 22:tcp for OpenSSH you should add a rule to the input and output chain in the mangle table of iptables:
/sbin/iptables -t mangle -A OUTPUT -o eth0 -p tcp --sport 22 -j SECMARK --selctx system_u:object_r:ssh_server_packet_t:s0
/sbin/iptables -t mangle -A INPUT -i eth0 -p tcp --dport 22 -j SECMARK --selctx system_u:object_r:ssh_server_packet_t:s0
This will shape the OpenSSH traffic and add the context needed to get packets accepted on the host:
type=AVC msg=audit(1197570945.629:636): avc: granted { send } for pid=1275 comm="sshd" saddr=10.0.0.101 src=22 daddr=10.0.0.100 dest=39769 netif=eth0 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ssh_server_packet_t:s0 tclass=packet
type=AVC msg=audit(1197572881.868:821): avc: granted { recv } for saddr=10.0.0.100 src=35697 daddr=10.0.0.101 dest=22 netif=eth0 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ssh_server_packet_t:s0 tclass=packet
It will not hurt to label your traffic this way for common daemons as correctly labeled traffic will always be accepted.
unlabeled packets will only be accepted if boolean allow_unlabeled_packets is set to on. This is the default setting.
Abonneren op:
Reacties posten (Atom)
Geen opmerkingen:
Een reactie posten