So I have this AVC:
avc: denied { name_connect } for pid=9045 comm="httpd" dest=9680 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
which comes from a PHP script trying to open a socket. This is no big deal. I believe that setting httpd_can_network_connect should fix it. However, I was wondering if it's possible to restrict the destination port to 9680, or restrict the destination host at all?
- J<
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jason L Tibbitts III wrote:
So I have this AVC:
avc: denied { name_connect } for pid=9045 comm="httpd" dest=9680 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
which comes from a PHP script trying to open a socket. This is no big deal. I believe that setting httpd_can_network_connect should fix it. However, I was wondering if it's possible to restrict the destination port to 9680, or restrict the destination host at all?
- J<
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Hope you don't mind but I answered in my blog.
http://danwalsh.livejournal.com/12928.html
"DJW" == Daniel J Walsh dwalsh@redhat.com writes:
DJW> Hope you don't mind but I answered in my blog.
No problem at all; thanks. And given that I've only tweaked things using semanage, my question now is whether there's anything I need to do to make sure that the policy modification via semodule is persistent.
- J<
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jason L Tibbitts III wrote:
"DJW" == Daniel J Walsh dwalsh@redhat.com writes:
DJW> Hope you don't mind but I answered in my blog.
No problem at all; thanks. And given that I've only tweaked things using semanage, my question now is whether there's anything I need to do to make sure that the policy modification via semodule is persistent.
- J<
Nope semodule/semanage are always persistant. the only thing that is ever not persistant is setsebool without the -P qualifier.
This howto is exactly what I have been looking for. I am trying to allow apache to connect to a listening stunnel process at localhost:9002. I think I have created mystunnel.te correctly, but I keep getting errors when I try to run the make against it.
Here are the steps I have take so far.
# cat > mystunnel.te << _EOF policy_module(mystunnel,1.0.0)
gen_require(` type httpd_t; ')
type stunnel_port_t; corenet_port(stunnel_port_t)
allow httpd_t stunnel_port_t:tcp_socket name_connect; _EOF
# make -f/usr/share/selinux/devel/Makefile Compiling targeted mystunnel module /usr/bin/checkmodule: loading policy configuration from tmp/mystunnel.tmp mystunnel.te:8:ERROR 'syntax error' at token 'corenet_port' on line 77035: type stunnel_port_t; corenet_port(stunnel_port_t) /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/mystunnel.mod] Error 1
Thanks,
Ian
----- Original Message ----- From: "Daniel J Walsh" dwalsh@redhat.com To: "Jason L Tibbitts III" tibbs@math.uh.edu Cc: fedora-selinux-list@redhat.com Sent: Monday, September 24, 2007 5:55:39 PM (GMT-0500) America/New_York Subject: Re: Allowing httpd to connect to specific sockets
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jason L Tibbitts III wrote:
So I have this AVC:
avc: denied { name_connect } for pid=9045 comm="httpd" dest=9680 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
which comes from a PHP script trying to open a socket. This is no big deal. I believe that setting httpd_can_network_connect should fix it. However, I was wondering if it's possible to restrict the destination port to 9680, or restrict the destination host at all?
- J<
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Hope you don't mind but I answered in my blog.
http://danwalsh.livejournal.com/12928.html
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ian Lists wrote:
This howto is exactly what I have been looking for. I am trying to allow apache to connect to a listening stunnel process at localhost:9002. I think I have created mystunnel.te correctly, but I keep getting errors when I try to run the make against it.
Here are the steps I have take so far.
# cat > mystunnel.te << _EOF policy_module(mystunnel,1.0.0)
gen_require(` type httpd_t; ')
type stunnel_port_t; corenet_port(stunnel_port_t)
allow httpd_t stunnel_port_t:tcp_socket name_connect; _EOF
# make -f/usr/share/selinux/devel/Makefile Compiling targeted mystunnel module /usr/bin/checkmodule: loading policy configuration from tmp/mystunnel.tmp mystunnel.te:8:ERROR 'syntax error' at token 'corenet_port' on line 77035: type stunnel_port_t; corenet_port(stunnel_port_t) /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/mystunnel.mod] Error 1
What version of the policy are you using?
You can just remove this corenet_port call for now, I believe everything will still work.
grep -r corenet_port /usr/share/selinux/devel/include
Thanks,
Ian
----- Original Message ----- From: "Daniel J Walsh" dwalsh@redhat.com To: "Jason L Tibbitts III" tibbs@math.uh.edu Cc: fedora-selinux-list@redhat.com Sent: Monday, September 24, 2007 5:55:39 PM (GMT-0500) America/New_York Subject: Re: Allowing httpd to connect to specific sockets
Jason L Tibbitts III wrote:
So I have this AVC:
avc: denied { name_connect } for pid=9045 comm="httpd" dest=9680 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
which comes from a PHP script trying to open a socket. This is no big deal. I believe that setting httpd_can_network_connect should fix it. However, I was wondering if it's possible to restrict the destination port to 9680, or restrict the destination host at all?
- J<
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Hope you don't mind but I answered in my blog.
- -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
- -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Ian Lists -
Jason L Tibbitts III