Re: network failures maybe SELinux related?

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

On 05/18/2009 12:37 PM, Brian Ginn wrote:
> Thanks!
>
> For the listining ports, I've done that.
> For the connecting ports, I pick a random port between 1025..65535, call connect() then if the port
> is in use, increment the port number and try again.
>
> Up until selinex, "permission denied" has not been a connect() error that I've had to deal with.
> I could change it so that "permission denied" also results in incrementing the port number and
> retrying connect().
> ... however looking at the results of 'semanage port -l', most of those ports aren't used by the
> selinux domains they are registered for.
>
> When "hardening" a system, we make sure that various un-needed network services are not installed.
> Should we also remove selinux policy (and port registration) for those services?
>
>
> Thanks,
> Brian
>
> ________________________________________
> From: Daniel J Walsh [dwalsh@xxxxxxxxxx]
> Sent: Saturday, May 16, 2009 4:49 AM
> To: Brian Ginn
> Cc: 'fedora-selinux-list@xxxxxxxxxx'
> Subject: Re: network failures maybe SELinux related?
>
> On 05/15/2009 05:48 PM, Brian Ginn wrote:
> > corenet_tcp_bind_all_ports()  seems to have solved my problems.
> On what domain?  This will allow that domain to bind to any port, if you
> know what port you want to listen on, you might be able to add the port
> using
>
> semanage port -a -t MISTERYDOMAIN_port_t -p tcp PORTNUMBER
> > -Brian
> >
> >
> > From: Brian Ginn
> > Sent: Friday, May 15, 2009 1:44 PM
> > To: 'fedora-selinux-list@xxxxxxxxxx'
> > Subject: network failures maybe SELinux related?
> >
> > I have a client app run by users, and two server apps run from xinetd.
> > The client connects to server1
> > Server1 connects to server2
> > Server2 connects back to the client app
> >
> > When not confined by SELinux policy. Everything works fine.
> > I can run several hundred iterations without any failures.
> > When confined, but run in permissive mode, Everything works fine. - nothing in audit.log
> >
> > When confined and enforced, it works a few times, then the connection from server1 to server2 fails.
> > Then, after a rest, it works a few times, then the connection from server1 to server2 fails.
> > There is nothing in audit.log.
> > Does anyone have suggestions for constraints or don't audit rules I should look into?
> >
> >
> > Thanks,
> > Brian
> >
> >
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list


corenet_tcp_bind_generic_port(DOMAIN)

Will allow you to bind to the first port_t port, IE a port that is not 
have an SELInux port defined for it.  It will dontaudit attempts to bind 
to ports with SELInux ports defined.


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list