Wart wrote:
I'm receiving the following avc denial from a game package that's
under review[1]:
Jan 21 10:55:49 localhost kernel: audit(1169405749.338:3): avc:
denied { name_connect } for pid=2661 comm="httpd" dest=19382
scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
The package includes a php-based web application and a python daemon
backend. The php webapp communicates with the python daemon through
tcp sockets.
From the avc denial it appears that this communication fails because
httpd is not allowed to establish tcp connections. This seems like a
valid security restriction, except in this case I do want to allow it.
How can I configure the httpd policy to allow tcp connections, but
only to localhost and only on the python daemon's ports (19380-19383)?
--Wart
Ok this can be fixed in multiple different ways.
One would be to allow httpd to connect to any port
setsebool -P httpd_can_network_connect=1
This would lessen your security, since httpd would now be able to
connect to any port
Another would be to add the ports to http_port_t via semanage
semanage port -a -t http_port_t -p tcp 19380-19383
This would be better in that http is allowed to connect to http_port_t
by default, but now it can also bind to these additional ports.
The best solution would be to make a loadable policy module, and define
a new port, something like
Create a te file like the following
#cat webapp.te
policy_module(webapp, 1.0);
require {
type httpd_t;
};
type webapp_port_t;
allow httpd_t webapp_port_t:tcp_socket name_connect;
# make -f /usr/share/selinux/targeted/include/Makefile webapp.pp
# semodule -i webapp.pp
# semanage port -a -t webapp_port_t -p tcp 19380-19383
[1] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219972
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list