extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 07:33:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Enhance SELinux support:

Browse Source 
- Add state match
- Add user/group match
- Add examples to the man pages
This commit is contained in:
Tom Eastep 2010-09-06 09:06:40 -07:00
parent 33dc8de8fb
commit c6f58ba924
7 changed files with 205 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -1373,7 +1373,7 @@ sub setup_traffic_shaping() {
# Process a record in the secmarks file
#
sub process_secmark_rule() {
my ( $secmark, $chain, $source, $dest, $proto, $dport, $sport, $mark ) = split_line1( 2, 8 , 'Secmarks file' );
my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) = split_line1( 2, 9 , 'Secmarks file' );
if ( $secmark eq 'COMMENT' ) {
process_comment;
@ -1386,10 +1386,24 @@ sub process_secmark_rule() {
I => 'tcin' ,
O => 'tcout' , );
my $chain1= $chns{$chain};
my %state = ( N => 'NEW' ,
E => 'ESTABLISHED' ,
ER => 'ESTABLISHED,RELATED' );
my ( $chain , $state, $rest) = split ':', $chainin , 3;
fatal_error "Invalid CHAIN:STATE ($chainin)" if $rest || ! $chain;
my $chain1= $chns{$chain};
fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
if ( ( $state ||= '' ) ne '' ) {
my $state1;
fatal_error "Invalid STATE ( $state )" unless $state1 = $state{$state};
$state = "$globals{STATEMATCH} $state1 ";
}
my $target = $secmark eq 'SAVE' ? 'CONNSECMARK --save' :
$secmark eq 'RESTORE' ? 'CONNSECMARK --restore' :
"SECMARK --selctx $secmark";
@ -1400,7 +1414,9 @@ sub process_secmark_rule() {
expand_rule( ensure_mangle_chain( $chain1 ) ,
$restrictions{$chain1} ,
$state .
do_proto( $proto, $dport, $sport ) .
do_user( $user ) .
do_test( $mark, $globals{TC_MASK} ) ,
$source ,
$dest ,

4
Shorewall/configfiles/secmarks
View File

@ -4,6 +4,6 @@
# For information about entries in this file, type "man shorewall-secmarks"
#
############################################################################################################
#SECMARK CHAIN SOURCE DEST PROTO DEST SOURCE MARK
# PORT(S) PORT(S)
#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK
# STATE PORT(S) PORT(S) GROUP

3
docs/Manpages.xml
View File

@ -129,6 +129,9 @@
<member><ulink url="manpages/shorewall-rules.html">rules</ulink> -
Specify exceptions to policies, including DNAT and REDIRECT.</member>
<member><ulink url="shorewall-secmarks.html">secmarks</ulink> - Attach
an SELinux context to a packet.</member>
<member><ulink
url="manpages/shorewall-tcclasses.html">tcclasses</ulink> - Define htb
classes for traffic shaping.</member>

3
docs/Manpages6.xml
View File

@ -114,6 +114,9 @@
<member><ulink url="manpages6/shorewall6-rules.html">rules</ulink> -
Specify exceptions to policies, including DNAT and REDIRECT.</member>
<member><ulink url="shorewall6-secmarks.html">secmarks</ulink> -
Attached an SELinux context to a packet.</member>
<member><ulink
url="manpages6/shorewall6-tcclasses.html">tcclasses</ulink> - Define
htb classes for traffic shaping.</member>

6
docs/configuration_file_basics.xml
View File

@ -213,6 +213,12 @@
shaping.</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/secmarks</filename> - Added in
Shorewall 4.4.13. Attach an SELinux context to selected
packets.</para>
</listitem>
<listitem>
<para><filename>/etc/shorewall/vardir</filename> - Determines the
directory where Shorewall maintains its state.</para>

91
manpages/shorewall-secmarks.xml
View File

@ -24,7 +24,7 @@
<title>Description</title>
<para>The secmarks file is used to associate an SELinux context with
packets.</para>
packets. It was added in Shorewall version 4.4.13.</para>
<para>The columns in the file are as follows.</para>
@ -66,9 +66,13 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">CHAIN - {P|I|F|O|T}</emphasis></term>
<term><emphasis role="bold">CHAIN:STATE -
{P|I|F|O|T}[:{N|E|ER}]</emphasis></term>
<listitem>
<para>This column determines the CHAIN where the SElinux context is
to be applied:</para>
<simplelist>
<member>P - PREROUTING</member>
@ -80,6 +84,18 @@
<member>T - POSTROUTING</member>
</simplelist>
<para>It may be optionally followed by a colon and an indication of
the connection state(s) at which the context is to be
applied:</para>
<simplelist>
<member>:N - NEW connection</member>
<member>:E - ESTABLISHED connection</member>
<member>:ER - ESTABLISHED or RELATED connection</member>
</simplelist>
</listitem>
</varlistentry>
</variablelist>
@ -102,7 +118,7 @@
<listitem>
<para>A comma-separated list of host or network IP addresses or
MAC addresses. </para>
MAC addresses.</para>
</listitem>
<listitem>
@ -206,6 +222,52 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
<listitem>
<para>This column may only be non-empty if the SOURCE is the
firewall itself.</para>
<para>When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
<emphasis>user</emphasis> and/or <emphasis>group</emphasis>
specified (or is NOT running under that id if "!" is given).</para>
<para>Examples:</para>
<variablelist>
<varlistentry>
<term>joe</term>
<listitem>
<para>program must be run by joe</para>
</listitem>
</varlistentry>
<varlistentry>
<term>:kids</term>
<listitem>
<para>program must be run by a member of the 'kids'
group</para>
</listitem>
</varlistentry>
<varlistentry>
<term>!:kids</term>
<listitem>
<para>program must not be run by a member of the 'kids'
group</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> - [<emphasis
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
@ -257,6 +319,29 @@
</variablelist>
</refsect1>
<refsect1>
<title>EXAMPLE</title>
<para>Mark the first incoming packet of a connection on the loopback
interface and destined for address 127.0.0.1 and tcp port 3306 with
context system_u:object_r:mysqld_t:s0 and save that context in the
conntrack table. On subsequent input packets in the connection, set the
context from the conntrack table.</para>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
- lo - ignore</programlisting>
<para><filename>/etc/shorewall/secmarks</filename>:</para>
<programlisting>#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK
# STATE PORT(S) PORT(S) GROUP
system_u:object_r:mysqld_t:s0 I:N lo 127.0.0.1 tcp 3306
SAVE I:N lo 127.0.0.1 tcp 3306
RESTORE I:E</programlisting>
</refsect1>
<refsect1>
<title>FILES</title>

88
manpages6/shorewall6-secmarks.xml
View File

@ -24,7 +24,7 @@
<title>Description</title>
<para>The secmarks file is used to associate an SELinux context with
packets.</para>
packets. It was added in Shorewall6 version 4.4.13.</para>
<para>The columns in the file are as follows.</para>
@ -66,7 +66,8 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">CHAIN - {P|I|F|O|T}</emphasis></term>
<term><emphasis role="bold">CHAIN -
{P|I|F|O|T}[:{N|E|ER}]</emphasis></term>
<listitem>
<simplelist>
@ -80,6 +81,18 @@
<member>T - POSTROUTING</member>
</simplelist>
<para>It may be optionally followed by a colon and an indication of
the connection state(s) at which the context is to be
applied:</para>
<simplelist>
<member>:N - NEW connection</member>
<member>:E - ESTABLISHED connection</member>
<member>:ER - ESTABLISHED or RELATED connection</member>
</simplelist>
</listitem>
</varlistentry>
</variablelist>
@ -102,7 +115,7 @@
<listitem>
<para>A comma-separated list of host or network IP addresses or
MAC addresses. </para>
MAC addresses.</para>
</listitem>
<listitem>
@ -206,6 +219,52 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
<listitem>
<para>This column may only be non-empty if the SOURCE is the
firewall itself.</para>
<para>When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
<emphasis>user</emphasis> and/or <emphasis>group</emphasis>
specified (or is NOT running under that id if "!" is given).</para>
<para>Examples:</para>
<variablelist>
<varlistentry>
<term>joe</term>
<listitem>
<para>program must be run by joe</para>
</listitem>
</varlistentry>
<varlistentry>
<term>:kids</term>
<listitem>
<para>program must be run by a member of the 'kids'
group</para>
</listitem>
</varlistentry>
<varlistentry>
<term>!:kids</term>
<listitem>
<para>program must not be run by a member of the 'kids'
group</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> - [<emphasis
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
@ -257,6 +316,29 @@
</variablelist>
</refsect1>
<refsect1>
<title>EXAMPLE</title>
<para>Mark the first incoming packet of a connection on the loopback
interface and destined for address ::1 and tcp port 3306 with context
system_u:object_r:mysqld_t:s0 and save that context in the conntrack
table. On subsequent input packets in the connection, set the context from
the conntrack table.</para>
<para><filename>/etc/shorewall6/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
- lo - ignore</programlisting>
<para><filename>/etc/shorewall6/secmarks</filename>:</para>
<programlisting>#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK
# STATE PORT(S) PORT(S) GROUP
system_u:object_r:mysqld_t:s0 I:N lo ::1 tcp 3306
SAVE I:N lo ::1 tcp 3306
RESTORE I:E</programlisting>
</refsect1>
<refsect1>
<title>FILES</title>