Linux: Allow/restrict IP bind permissions by user

Question

I'm running a dedicated machine on RHEL (CentOS 6.3) that runs with multiple IP addresses. Multiple users also have access to the machine, on non-superuser accounts. I would like to prevent them from binding to certain addresses.

I do know that Linux can restrict ports for non-root users, as is currently done for ports smaller than or equal to 1024. If I wanted to prevent access to a specific IP address such as 0.0.0.0, or a range such as 127.0.0.0/8, would doing so be possible, and if so, how would it be done?

Or inversely, how would I deny all access to bind to any IP addresses, and grant access to individual addresses by user?

Answer 1

I won't go into detail on how SELinux is set up or how one creates a SELinux policy. This might be a good starting point for getting familiar with SELinux.

To address your problem with SELinux, try this:

• Assign a type to the network interface you like to restrict

  # Assign a type to the whole interface
  semanage interface -a -t foo_netif_t eth2
  

• Assign labels to traffic passing through the interface

  netlabelctl unlbl add interface:eth2 address:0.0.0.0/0 label:system_u:object_r:foo_peer_t:s0
  netlabelctl unlbl add interface:eth2 address:::/0 label:system_u:object_r:foo_peer_t:s0
  

  This example assigns the type foo_peer_t to all IPv4 and IPv6 traffic.

• Add rules to allow packet flow

  Traffic entering

  allow user_t foo_netif_t:netif ingress;
  allow user_t foo_peer_t:node recvfrom;
  

  Traffic leaving

  allow user_t foo_netif_t:netif egress;
  allow user_t foo_peer_t:node sendto;
  

  Replace user_t with type assigned to the user you wish to restrict.

References:

• Labeling interfaces
• Ingress/Egress controls