Governing application network access
On Linux systems, iptables
(and more recently, nftables
) is the de facto host-based firewall technology. Administrators will undoubtedly use it to prevent access to a service from unauthorized systems. We can also use iptables
to identify and label network packets, allowing only authorized applications (domains) to send or receive those network packets.
By default, the SELinux policy supports client and server packets and allows the usual domains access to their client and/or server packets. For instance, the web server domains (such as httpd_t
) will have the privileges to send and receive http_server_packet_t
packets:
allow httpd_t http_server_packet_t:packet { send recv };
This is provided through the corenet_sendrecv_http_server_packets ...
Get SELinux Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.