Re: Allowing httpd to connect to specific sockets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ian Lists wrote:
> This howto is exactly what I have been looking for.  I am trying to allow apache to connect to a listening stunnel process at localhost:9002. I think I have created mystunnel.te correctly, but I keep getting errors when I try to run the make against it.  
> 
> Here are the steps I have take so far.
> 
> 
> # cat > mystunnel.te << _EOF
> policy_module(mystunnel,1.0.0)
> 
> gen_require(\`
>     type httpd_t;
> ')
> 
> type stunnel_port_t;
> corenet_port(stunnel_port_t)
> 
> allow httpd_t stunnel_port_t:tcp_socket name_connect;
> _EOF
> 
> # make -f/usr/share/selinux/devel/Makefile
> Compiling targeted mystunnel module
> /usr/bin/checkmodule:  loading policy configuration from tmp/mystunnel.tmp
> mystunnel.te:8:ERROR 'syntax error' at token 'corenet_port' on line 77035:
> type stunnel_port_t;
> corenet_port(stunnel_port_t)
> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> make: *** [tmp/mystunnel.mod] Error 1
> 
>
What version of the policy are you using?

You can just remove this corenet_port call for now,  I believe
everything will still work.

grep -r corenet_port /usr/share/selinux/devel/include

> 
> Thanks,
> 
> Ian
> 
> 
> ----- Original Message -----
> From: "Daniel J Walsh" <dwalsh@xxxxxxxxxx>
> To: "Jason L Tibbitts III" <tibbs@xxxxxxxxxxx>
> Cc: fedora-selinux-list@xxxxxxxxxx
> Sent: Monday, September 24, 2007 5:55:39 PM (GMT-0500) America/New_York
> Subject: Re: Allowing httpd to connect to specific sockets
> 
> Jason L Tibbitts III wrote:
>> So I have this AVC:
> 
>> avc:  denied  { name_connect } for  pid=9045 comm="httpd" dest=9680 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> 
>> which comes from a PHP script trying to open a socket.  This is no big
>> deal.  I believe that setting httpd_can_network_connect should fix it.
>> However, I was wondering if it's possible to restrict the destination
>> port to 9680, or restrict the destination host at all?
> 
>>  - J<
> 
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list@xxxxxxxxxx
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Hope you don't mind but I answered in my blog.
> 
> 
> http://danwalsh.livejournal.com/12928.html
> 
> 
> 

- --
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

- --
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG/RwirlYvE4MpobMRAoBsAKDVU2o4BEK2KxsMCUO1cdqic+8o8QCgyD6W
tSmG7IqjiFxsKcCudw0pXk4=
=VNRS
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux