Thanks! For the listining ports, I've done that. For the connecting ports, I pick a random port between 1025..65535, call connect() then if the port is in use, increment the port number and try again. Up until selinex, "permission denied" has not been a connect() error that I've had to deal with. I could change it so that "permission denied" also results in incrementing the port number and retrying connect(). ... however looking at the results of 'semanage port -l', most of those ports aren't used by the selinux domains they are registered for. When "hardening" a system, we make sure that various un-needed network services are not installed. Should we also remove selinux policy (and port registration) for those services? Thanks, Brian ________________________________________ From: Daniel J Walsh [dwalsh@xxxxxxxxxx] Sent: Saturday, May 16, 2009 4:49 AM To: Brian Ginn Cc: 'fedora-selinux-list@xxxxxxxxxx' Subject: Re: network failures maybe SELinux related? On 05/15/2009 05:48 PM, Brian Ginn wrote: > corenet_tcp_bind_all_ports() seems to have solved my problems. > On what domain? This will allow that domain to bind to any port, if you know what port you want to listen on, you might be able to add the port using semanage port -a -t MISTERYDOMAIN_port_t -p tcp PORTNUMBER > > -Brian > > > From: Brian Ginn > Sent: Friday, May 15, 2009 1:44 PM > To: 'fedora-selinux-list@xxxxxxxxxx' > Subject: network failures maybe SELinux related? > > I have a client app run by users, and two server apps run from xinetd. > The client connects to server1 > Server1 connects to server2 > Server2 connects back to the client app > > When not confined by SELinux policy. Everything works fine. > I can run several hundred iterations without any failures. > When confined, but run in permissive mode, Everything works fine. - nothing in audit.log > > When confined and enforced, it works a few times, then the connection from server1 to server2 fails. > Then, after a rest, it works a few times, then the connection from server1 to server2 fails. > There is nothing in audit.log. > Does anyone have suggestions for constraints or don't audit rules I should look into? > > > Thanks, > Brian > > > > > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
