Re: Allow internet/network access based on binary -- ask user for permission if a binary wants to connect to the internet
On Tue, 2014-12-09 at 08:39 -0500, Daniel J Walsh wrote: You can do this with SELinux and confined users somewhat. YOU basically could setup a user as xguest with no network access and then write policy to transition to certain domains that can use the internet. No ability to prompt the user though. This will get you most of the way you want to go, but somethings can be tricky. Also lots of apps contact the network just by calling getpw* calls, if you have certain settings in nsswitch. And by certain settings he means default settings, because nsswitch.conf defaults to using the 'dns' library for host lookup, which means that any gethostby*() call will hit the network. As for users and groups, most modern systems don't hit the network directly anymore. The SSSD, Winbind and nss-pam-ldapd projects all provide a separate, privileged daemon to perform the actual network lookup, meaning that the application doesn't do it directly. Now, if the system is using the old nss_ldap instead of nss-pam-ldapd, that could be an issue, but I don't think we even ship that in Fedora anymore. signature.asc Description: This is a digitally signed message part -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Allow internet/network access based on binary -- ask user for permission if a binary wants to connect to the internet
- Original Message - I only want certain binaries to be allowed network access. For example, I want to allow the below binaries access to the internet: /usr/lib64/firefox/firefox /usr/lib/virtualbox/VirtualBox /bin/yum (it seems to be done via python like /usr/bin/python /bin/yum update -- so here obviously python is allowed network access only for yum ('the binary'). This rule should not give python network access for any other binaries/.py scripts etc.) I want no other binary to be able to access the network. It's not implementable, because you have no way to know that the binary trying to access the network is what it says it is. For now, at least. We'll certainly get something like that when application sandboxing is implemented and deployed. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Allow internet/network access based on binary -- ask user for permission if a binary wants to connect to the internet
You can do this with SELinux and confined users somewhat. YOU basically could setup a user as xguest with no network access and then write policy to transition to certain domains that can use the internet. No ability to prompt the user though. This will get you most of the way you want to go, but somethings can be tricky. Also lots of apps contact the network just by calling getpw* calls, if you have certain settings in nsswitch. On 12/09/2014 06:16 AM, Bastien Nocera wrote: - Original Message - I only want certain binaries to be allowed network access. For example, I want to allow the below binaries access to the internet: /usr/lib64/firefox/firefox /usr/lib/virtualbox/VirtualBox /bin/yum (it seems to be done via python like /usr/bin/python /bin/yum update -- so here obviously python is allowed network access only for yum ('the binary'). This rule should not give python network access for any other binaries/.py scripts etc.) I want no other binary to be able to access the network. It's not implementable, because you have no way to know that the binary trying to access the network is what it says it is. For now, at least. We'll certainly get something like that when application sandboxing is implemented and deployed. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Allow internet/network access based on binary -- ask user for permission if a binary wants to connect to the internet
- Original Message - You can do this with SELinux and confined users somewhat. YOU basically could setup a user as xguest with no network access and then write policy to transition to certain domains that can use the internet. No ability to prompt the user though. This will get you most of the way you want to go, but somethings can be tricky. Yeah, one user per application is certainly not something we'd want to implement ;) Also lots of apps contact the network just by calling getpw* calls, if you have certain settings in nsswitch. SELinux is probably going to have a lot of use in identifying/vouching for applications in the sandboxed world, but we're not there just yet. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Allow internet/network access based on binary -- ask user for permission if a binary wants to connect to the internet
I only want certain binaries to be allowed network access. For example, I want to allow the below binaries access to the internet: /usr/lib64/firefox/firefox /usr/lib/virtualbox/VirtualBox /bin/yum (it seems to be done via python like /usr/bin/python /bin/yum update -- so here obviously python is allowed network access only for yum ('the binary'). This rule should not give python network access for any other binaries/.py scripts etc.) I want no other binary to be able to access the network. If a binary attempts to access the network there should be a popup, asking me: a. Deny network access and Remember this Decision if the same binary attempts to access the network again. b. Allow network access and Remember this Decision if the same binary attempts to access the network again. c. Allow network access this time but Prompt me Again if this binary tries to access the network. d. Deny network access this time but Prompt me Again if this binary tries to access the network. A Google search turns up this: https://security.stackexchange.com/questions/15476/configure-linux-to-allow-network-activity-based-on-binary however the answers posted over there are not easy to understand. Maybe there is already a way to do this that I don't know of? So I would appreciate any answers. Thanks. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Allow internet/network access based on binary -- ask user for permission if a binary wants to connect to the internet
On 08/12/14 23:26, Moez Roy wrote: I only want certain binaries to be allowed network access. For example, I want to allow the below binaries access to the internet: /usr/lib64/firefox/firefox /usr/lib/virtualbox/VirtualBox /bin/yum (it seems to be done via python like /usr/bin/python /bin/yum update -- so here obviously python is allowed network access only for yum ('the binary'). This rule should not give python network access for any other binaries/.py scripts etc.) I want no other binary to be able to access the network. If a binary attempts to access the network there should be a popup, asking me: a. Deny network access and Remember this Decision if the same binary attempts to access the network again. b. Allow network access and Remember this Decision if the same binary attempts to access the network again. c. Allow network access this time but Prompt me Again if this binary tries to access the network. d. Deny network access this time but Prompt me Again if this binary tries to access the network. [cut] It's really hard to say something useful when facing this kind of rather low-level specification. I think you could get better answers if you expressed you needs on a somewhat higher level. What is this all about, really? Besides what's mentioned in the link you might use sudo or polkit to achieve something similar. No idea if this is similar enough for your needs. Cheers! --alec -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct