FuncWeb and SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Since apache is confined in default SELinux policy on
CentOS/Fedora/RHEL (and also in all SELinux enabled distros using
reference policy). This means that apache process can't connect to
funcwebd port (51236) unless we use one of the following:

1. Set httpd_can_network_connect
   # setsebool -p httpd_can_network_connect = 1
   This basically means that httpd process can connect to port he
   wants. This obviously gives httpd much more power than it needs.

2. Use semanage to mark 51236 port as http_port_t:
   # semanage port -a -t http_port_t -p tcp 51236
   This basically means that 51236 is one of the apache's own ports so
   he can connect to it without any problems. 

3. Ship our own loadable SELinux policy:
module funcweb 0.1;

require {
        type httpd_t;
        type port_t;
        attribute port_type;
        class tcp_socket name_connect;
}

type funcweb_port_t, port_type;

allow httpd_t funcweb_port_t:tcp_socket name_connect;

   Save above as funcweb.te, compile and load this module: 
   # checkmodule -M -m -o funcweb.mod funcweb.te 
   # semodule_package -o funcweb.pp -m funcweb.mod 
   # semodule -i funcweb.pp
   Now we have to specify which port(s) should be marked as
   funcweb_port_t:
   # semanage port -a -t funcweb_port_t -p tcp 51236

   I've only done some limited testing on CentOS5 and FC8 but it's
   simple so it should be working ok. I'm not sure about some older 
   RHELs with some ancient SELinux.. Does RHEL4 support loadable
   policy? I'll probably have to check that.

I personaly like 3rd option the most. Any comments?

_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list

[Index of Archives]     [Fedora Users]     [Linux Networking]     [Fedora Legacy List]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux