[CentOS] Block outgoing connections for certaing uids (root, apache, nobody)

Daniel J Walsh dwalsh at redhat.com
Thu Apr 5 13:21:20 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/04/2012 10:15 AM, Lamar Owen wrote:
> On Wednesday, April 04, 2012 05:13:11 AM Alexander Farber wrote:
>> Good morning
>> 
>> With iptables in CentOS 5 and 6 Linux - how can you please prevent
>> processes running as "root", "apache" or "nobody" from initiating
>> outgoing connections?
> 
> This sounds more like something an SELinux rule could do better, and on a
> per-process basis.
> 
> Now, I don't have such a rule or policy file written, but I think for this
> purpose SELinux is the right tool to try to use.  You might have to go from
> the rather lenient 'targeted' policy to the rather difficult to use
> 'strict' policy to make it happen, though.
> 
> Dan Walsh is on here, and he's the expert, so maybe he'll weigh in. 
> _______________________________________________ CentOS mailing list 
> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
Very difficult to do, especially if you are talking about administrators
running as root.  If you want to allow everything except connection to the
network, you will not stop a determined admin.  Now we can block the apache
process from connecting to the network.   If you want to run confined admins
we can also control them, but it is not easy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk99nE0ACgkQrlYvE4MpobPNlwCgr/zQEe0pvM96wRwdCdda+d6S
rOsAoN242buO0dwqEw5p7ZxTr5UY/Kgm
=6w7I
-----END PGP SIGNATURE-----



More information about the CentOS mailing list