Linux: Allow/restrict IP bind permissions by user

linux ip

I won't go into detail on how SELinux is set up or how one creates a SELinux policy. This might be a good starting point for getting familiar with SELinux.

To address your problem with SELinux, try this:

  • Assign a type to the network interface you like to restrict

    # Assign a type to the whole interface
semanage interface -a -t foo_netif_t eth2

  • Assign labels to traffic passing through the interface

    netlabelctl unlbl add interface:eth2 address:0.0.0.0/0 label:system_u:object_r:foo_peer_t:s0
netlabelctl unlbl add interface:eth2 address:::/0 label:system_u:object_r:foo_peer_t:s0

    This example assigns the type foo_peer_t to all IPv4 and IPv6 traffic.

  • Add rules to allow packet flow

    Traffic entering

    allow user_t foo_netif_t:netif ingress;
allow user_t foo_peer_t:node recvfrom;

    Traffic leaving

    allow user_t foo_netif_t:netif egress;
allow user_t foo_peer_t:node sendto;

    Replace user_t with type assigned to the user you wish to restrict.

References:

  • Labeling interfaces
  • Ingress/Egress controls

Related

Wildcard DNS, VirtualHosts on apache2, 404 for unused subdomains
How to remove all Couchdb versions in Ubuntu 10.04 (server)? ( after multiple installs )
Download file from vbscript?
Setting Java Runtime setting for all users on a client PC
Multiple Memcached server /etc/init.d startup script that works?
Distributed file system with local disk cache
Four disks - RAID 10 or two mirrored pairs?
Find IP address of a device?
Android device chooser - My device seems offline
How to check all checkboxes using jQuery?
Libraries not found when using CocoaPods with iOS logic tests
extract part of a string using bash/cut/split