-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
what are the actually allowed TCP ports processes in the tor_t domain are allowed to bind to? (with tor_bind_all_unreserved_ports --> off tor_can_network_relay --> on)
semanage gives me: tor_port_t tcp 6969, 9001, 9030, 9050, 9051, 9150
but tor can bind to 80,443 or 9000 without problems. (but for example 5000 is not allowed -> AVCs)
Used policy version: selinux-policy-targeted-3.13.1-23.el7.noarch
Is there already a boolean that allows enabling to arbitrary ports as suggested here: https://bugzilla.redhat.com/show_bug.cgi?id=544546#c5
thanks, Nusenu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 04/06/2015 08:33 PM, Nusenu wrote:
Hi,
what are the actually allowed TCP ports processes in the tor_t domain are allowed to bind to? (with tor_bind_all_unreserved_ports --> off tor_can_network_relay --> on)
semanage gives me: tor_port_t tcp 6969, 9001, 9030, 9050, 9051, 9150
but tor can bind to 80,443 or 9000 without problems. (but for example 5000 is not allowed -> AVCs)
Used policy version: selinux-policy-targeted-3.13.1-23.el7.noarch
Is there already a boolean that allows enabling to arbitrary ports as suggested here: https://bugzilla.redhat.com/show_bug.cgi?id=544546#c5
You can use sesearch to check it
$ sesearch -A -s tor_t -p tcp_socket -p name_bind -C
Or you can use sepolicy which gets you what you want to see
$ sepolicy network -d tor_t
thanks, Nusenu -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
- -- Miroslav Grepl Software Engineering, SELinux Solutions Red Hat, Inc.
On 04/07/2015 09:03 AM, Miroslav Grepl wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 04/06/2015 08:33 PM, Nusenu wrote:
Hi,
what are the actually allowed TCP ports processes in the tor_t domain are allowed to bind to? (with tor_bind_all_unreserved_ports --> off tor_can_network_relay --> on)
semanage gives me: tor_port_t tcp 6969, 9001, 9030, 9050, 9051, 9150
but tor can bind to 80,443 or 9000 without problems. (but for example 5000 is not allowed -> AVCs)
If you need some custom port for tor binding and you won't use 'tor_bind_all_unreserved_ports' boolean, you could use semanage tool to label your custom port as tor_port_t. Example: |semanage port -a -t tor_port_t -p tcp 5000 |
Used policy version: selinux-policy-targeted-3.13.1-23.el7.noarch
Is there already a boolean that allows enabling to arbitrary ports as suggested here: https://bugzilla.redhat.com/show_bug.cgi?id=544546#c5
You can use sesearch to check it
$ sesearch -A -s tor_t -p tcp_socket -p name_bind -C
Or you can use sepolicy which gets you what you want to see
$ sepolicy network -d tor_t
thanks, Nusenu -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Miroslav Grepl Software Engineering, SELinux Solutions Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQEcBAEBCAAGBQJVI4ErAAoJENrcHks50T0J+8IH/3ca/bcT//RKsxjK8GFC7BMt WXR3c7KpxUk2Niy99GQo8fBR2FIJ0yfH2Y4TaiH9oVdew3odr7mEn4vBdya1C9A6 v283qSr9/BlPHvBk9msjjtRKryagi81XnU5C1EHF6eJQScyfnxE2pLuSBD3q2oZa asawW1I0iwkri6BwWq9D5i40ISf4gqoHV9zA9j408sdahS8h38sq0PVrwVMMxakz 7Arlj33aXOij08ZWiISjB+sch0UD1zoX3jfiLiOMbTqHNuRisUz0PUAFCjoF7i5y TOXTJE+kXVlnzqWPeYrWBl3Gak+QaoGx7HXGk7Kc1f++bfSl3plSyGH9xkxmimY= =uVaE
-----END PGP SIGNATURE-----
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
what are the actually allowed TCP ports processes in the tor_t domain are allowed to bind to? (with tor_bind_all_unreserved_ports --> off tor_can_network_relay --> on)
semanage gives me: tor_port_t tcp 6969, 9001, 9030, 9050, 9051, 9150
but tor can bind to 80,443 or 9000 without problems. (but for example 5000 is not allowed -> AVCs)
If you need some custom port for tor binding and you won't use 'tor_bind_all_unreserved_ports' boolean, you could use semanage tool to label your custom port as tor_port_t. Example: |semanage port -a -t tor_port_t -p tcp 5000
That sounds great to allow it to run without allowing more than needed, unfortunately it does not work for every port:
ValueError: Port tcp/5000 already defined
On 04/10/2015 04:13 PM, Nusenu wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
what are the actually allowed TCP ports processes in the tor_t domain are allowed to bind to? (with tor_bind_all_unreserved_ports --> off tor_can_network_relay --> on)
semanage gives me: tor_port_t tcp 6969, 9001, 9030, 9050, 9051, 9150
but tor can bind to 80,443 or 9000 without problems. (but for example 5000 is not allowed -> AVCs)
If you need some custom port for tor binding and you won't use 'tor_bind_all_unreserved_ports' boolean, you could use semanage tool to label your custom port as tor_port_t. Example: |semanage port -a -t tor_port_t -p tcp 5000
That sounds great to allow it to run without allowing more than needed, unfortunately it does not work for every port:
ValueError: Port tcp/5000 already defined -----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJVJ9pxAAoJEFv7XvVCELh0WtYP/R+BykAepbrd4gvTbQJKawWK eFyeAoSpTc7ZuziFWUrfApkvY9gwgJpVCU000emYhh6x5cKpw9PIUa03gqPGo5zL uk2QbhbvV1S4RdYR2k1BEDK5FdkA5ajptuTI4xsrRj9KPGrVKPA/4owioS2xXSn1 bLw7aTMp8QdxOmdvaGLb9hTyOqecQ5FOeJ/jd1ODrR1j9kNFMBD+sqXpOUxFCclv dzW4GKS6hbPZ1LQ3kcOK4wJyBa2zZiVDLFb20cYWbsRmFz5vcZjMFrXOo0KEnGqW 4iAUbMZEe8ZN9qiS0AIaGaz4l7J/FrbBpuJZ7noeMMR76brMfCr8rPwwcFnLF6G8 4JH1P+Z+ATbsrfrVek2IE61duW7egbFqXgf62St8eDrFR4anqetw53LYkIoSkFvW tOQrEQCnGy7neX7fcpToULJ0Fqhki8J/NtfDqD0nVodLOOeJxTGm0Q+v2jtD3hg4 p/M8Kk5P1woMvPn7UDaYTRB68g6M2JUt3x7kbjE5K/7KeIcvML4Ls/wpiLCtzJ4D CkPa6HaaDPzRHXqM7ZTV+zvhjSc3PueO4BX8CsL/FF7OTmOJyPm6oqK0kxpJtcG8 tRZIMmQyq1BE77TFFzd4KX0PuDz+L167jwcXknVghpadwRubu77SMZ66+AYfn379 fTXLcDY0nY3L/SLiQt5I =JNR0
-----END PGP SIGNATURE-----
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Hi, If you need to bind on defined port, there is a way to make "local" policy with rule allowing this. To build local policy follow this: 1. Generate AVC (in your case tor is binding to port 5000) 2. Store this AVC in some file. (like tor_local.txt) 3. use: $ cat ./tor_local.txt | audit2allow -M tor_local 4. use: # semodule -i tor_local.pp
Now tor_t domain can bind to port 5000.
Last thing, be careful with this. Make local policies when you know what you are allowing due to security reasons.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
If you need to bind on defined port, there is a way to make "local" policy with rule allowing this. To build local policy follow this:
- Generate AVC (in your case tor is binding to port 5000) 2. Store
this AVC in some file. (like tor_local.txt) 3. use: $ cat ./tor_local.txt | audit2allow -M tor_local 4. use: # semodule -i tor_local.pp
I'm aware of this process but it is not applicable in an ansible role [1] (my use case).
Last thing, be careful with this. Make local policies when you know what you are allowing due to security reasons.
Yes, you definitely don't want to perform this blindly and automatically .
I would have no problem running semanage port -a ... $port since the user's selected tor ports are obviously available - that would have been a neat solution to create tailored SELinux adjustment without the user even noticing and still working out of the box with arbitrary ports. Probably to nice to actually work.
[1] https://github.com/nusenu/ansible-relayor
selinux@lists.fedoraproject.org