Wart wrote:
Daniel J Walsh wrote:
The best solution would be to make a loadable policy module, and
define a new port, something like
Create a te file like the following
#cat webapp.te
policy_module(webapp, 1.0);
require {
type httpd_t;
};
type webapp_port_t;
allow httpd_t webapp_port_t:tcp_socket name_connect;
# make -f /usr/share/selinux/targeted/include/Makefile webapp.pp
# semodule -i webapp.pp
# semanage port -a -t webapp_port_t -p tcp 19380-19383
Thanks for the tip. This worked just fine. Now that I have a working
policy for this server + web application, I'm trying to get it all
packaged up nicely. I've got a policy that works, but to package it
properly I'd have to split up rules between the webapp component and
the server component, with dependencies between them. I'm sure with
some more work I could do this, but it starts to become trickier to
package. It seems like it would be much easier to manage if it were
all part of the upstream selinux reference policy instead.
What is the best way to go about submitting new policies to be
included in the reference policy?
--Mike
Submit it as a patch to the selinux@xxxxxxxxxxxxx mailing list, and
request that it get upstreamed.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
