8.11 Configuring access control to network

8.11.1 allownet

1. syntax
   1. allownet -net;
   2. allownet -connect;
   3. allownet -raw;
   4. allownet (-tcp$\mid$-udp) -port port number;
   5. allownet (-tcp$\mid$-udp) -allport;
2. meaning
   They are related to usage of network.
   1. Allow to use tcp/ip network. This includes usage of tcp, udp socket, ports more than 1024. Note that to initiate network connection is not allowed. To allow network connection, use allownet -connect. And usage of well-known ports is not allowed. Simply writing allownet; is the same meaning.
   2. Allow to connect network. This means to use $name\_connect$ and $connect$ permission in SELinux.
   3. Allow to use raw socket. Usage of raw socket is necessary for such as ICMP.
   4. When you want to use well-known port, you have to reserve port by this.
      • Ex)
        {
        domain httpd_t;
        allownet -tcp 80;
        ...
        httpd_t has reserved tcp 80 port, and can use it.
        

   5. Allow to use all unreserved well-known ports.
3. Constraints
   These can not be canceled once declared. Be careful using in global domain. If you use them in global domain, all domain has specified access right and can not be denied in individual domain.