[Wine] Re: creating built-in firewall for Wine

oiaohm wineforum-user at winehq.org
Fri Apr 8 23:07:32 CDT 2011


Martin Gregorie wrote:
> On Fri, 2011-04-08 at 12:59 -0500, Boriso wrote:
> 
> > I think that some kind of script or internal Wine command would be
> > great if it could create new Wine prefix and configure some
> > restrictions in IPTables and/or AppArmor.
> > 
> > 
> There is no relationship at all between the IPTables firewall and
> Apparmor/SELinux[1].
> 
> The IPTables firewall is only concerned with controlling ICP/IP access
> to a computer - both TCP/IP sessions and datagrams. It controls
> incoming connections from external TCP/IP data sources and also controls
> outgoing connections. Thats all it does. It neither knows not cares what
> program is trying to make or receive network connections: it is purely a
> perimeter guard. 
> 
> OTPH Apparmor/SELinux is concerned with extending control over the way a
> specific program can access resources (files, etc.) provided within a
> computer. SELinux adds labels to file system resources to implement
> Access Control Lists (ACLs) that restrict access in ways that the file
> ownership and associated read/write/execute permissions cannot. It
> neither knows nor cares about network access apart from the trivial case
> of specifying which users can connect to a network port. 
> 

Selinux is about labeling.  Selinux is not like Apparmor.   secmark makes iptable label and able to handle labels.  Yes depending on what secmark label is on something can alter how iptables handles the packets.

Access Control Lists in fact are not part of SELinux.  SELinux is MAC.  Access Control Lists are DAC.  Two completely different levels of secuirty.  Access Control Lists exist independent to apparmor or selinux.

Selinux implements Role Based Access Control.  This is completely different.  Role Based Extends up to iptables with semark then into sepostgresql databases  then into "X Access Control Extension".  Yes Selinux can control even what applications you can copy paste between.   Role Based Access Control fully on truly can control everything you do on a system.   Role Based Access Control does not end in its implementations just with kernel space code.

True iptable does not care about the application as such.  Iptables with secmark does care if application receiving or sending has the right label.

The idea that iptable is pure perimeter guard is wrong.   Its more like an elevator control person who might not know exactly what is going on but knows you should be going to x floor due to having x room key.   Now as long as people only have the correct door keys this is solid.

http://wiki.postgresql.org/wiki/SEPostgreSQL_Introduction .  There is no reason why wineserver could not have a Selinux compatible form.  So allowing selinux tags/secmark to pass through wineserver and iptables respond correctly based on those flags.

http://www.linux.com/learn/tutorials/421152:using-selinux-and-iptables-together  Yes this is using the iptables secuirty section to pick up selinux tags to control the firewall.

http://james-morris.livejournal.com/11010.html  This is when the relationship between selinux and iptables started.  Yes there is a relationship Martin Gregorie been one for over 4 years.

Apparmor you are correct there is no relationship at this stage.   Selinux you are way off.  Secmark support is planned to be added to Apparmor at some point in future.  They were hoping for 2.6.39 for Apparmor support of secmark but from what I have seen of 2.6.39 it still lacking it of course might have missed it.   Basically in a year time using secmark with iptables could be common place.

Both selinux + iptables with secmarks work as one.  To provide a more secure system.

http://www.freenet.org.nz/python/pyshaper/  This is a iproute2 front end.  This is one of the other paths.  This is application neutral.    Runs into the same problem from wineserver of it not telling it who it working for.  iproute2+iptables is another combination that can share labeling.

iproute2 support for filtering compatible with wine would have been one of the valid paths to enable filtering.  No back door way to sneak around this.

Apparmor is not used by any officially enterprise distributions due to its lack of key features like no secmark support so does not pass DOD requirements.

I really wish people who really don't know secuirty would not try talking on secuirty topics.







More information about the wine-users mailing list