From: rfkrocktk@gmail.com (Naftuli Tzvi Kay) Date: Wed, 31 Aug 2016 12:36:20 -0700 Subject: [refpolicy] Understanding SELinux Network Permissions Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Networking permissions have always been fairly difficult for me to understand in SELinux. My current understanding follows. The permissions in layers are as follows for a client that wants to connect to a specific TCP port: 1. Domain must be able to create/open/read/write its own TCP socket, which is accomplished like so: allow $domain_type self:tcp_socket create_stream_socket_perms; Now the domain can open a TCP socket but can't connect it to anything. Also, opening a TCP socket does not mean the same thing as binding (listening on a port as a server process). 2. Next, we have to grant it access to sending and receiving on a network interface: # corenet_tcp_sendrecv_generic_if allow $domain_type $net_interface_type:netif { tcp_send tcp_recv egress ingress }; Now the process can both open its TCP client connection and send/recv TCP packets on the given network interface, but can't send/recv those packets to/from any hosts (including localhost probably). 3. Next, we grant access for it to be able to send/recv to given nodes: # corenet_tcp_sendrecv_generic_node allow $domain_type $node_type:node { tcp_send tcp_recv sendto recvfrom }; It can now send/receive TCP packets to and from the given node, which represents a host on the network. node_lo_t could be 127.0.0.1/32, for instance, and you'd still need this permission to send/recv packets from localhost. So far it can open a client socket, read/write on that socket, send/receive packets from a given network interface, send/receive packets from a given network host (node), but it can't connect to or send/receive anything due to port restrictions. 4. We now grant it access to connect and send/recv packets to a given port: # corenet_tcp_sendrecv_generic_port allow $domain_type $port_type:tcp_socket { send_msg recv_msg }; # corenet_tcp_connect_generic_port allow $domain_type $port_type:tcp_socket name_connect; Now it can fully send/receive packets to arbitrary hosts on arbitrary ports over TCP. ----------------------- Is my above understanding correct? In the example of a server, how do permissions differ? Can I have a server listen to a port without being able to be a TCP client and connect to other ports?