Re: network failures maybe SELinux related?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 05/18/2009 12:37 PM, Brian Ginn wrote:
Thanks!

For the listining ports, I've done that.
For the connecting ports, I pick a random port between 1025..65535, call connect() then if the port
is in use, increment the port number and try again.

Up until selinex, "permission denied" has not been a connect() error that I've had to deal with.
I could change it so that "permission denied" also results in incrementing the port number and
retrying connect().
... however looking at the results of 'semanage port -l', most of those ports aren't used by the
selinux domains they are registered for.

When "hardening" a system, we make sure that various un-needed network services are not installed.
Should we also remove selinux policy (and port registration) for those services?


Thanks,
Brian

________________________________________
From: Daniel J Walsh [dwalsh@xxxxxxxxxx]
Sent: Saturday, May 16, 2009 4:49 AM
To: Brian Ginn
Cc: 'fedora-selinux-list@xxxxxxxxxx'
Subject: Re: network failures maybe SELinux related?

On 05/15/2009 05:48 PM, Brian Ginn wrote:
corenet_tcp_bind_all_ports()  seems to have solved my problems.

On what domain?  This will allow that domain to bind to any port, if you
know what port you want to listen on, you might be able to add the port
using

semanage port -a -t MISTERYDOMAIN_port_t -p tcp PORTNUMBER
-Brian


From: Brian Ginn
Sent: Friday, May 15, 2009 1:44 PM
To: 'fedora-selinux-list@xxxxxxxxxx'
Subject: network failures maybe SELinux related?

I have a client app run by users, and two server apps run from xinetd.
The client connects to server1
Server1 connects to server2
Server2 connects back to the client app

When not confined by SELinux policy. Everything works fine.
I can run several hundred iterations without any failures.
When confined, but run in permissive mode, Everything works fine. - nothing in audit.log

When confined and enforced, it works a few times, then the connection from server1 to server2 fails.
Then, after a rest, it works a few times, then the connection from server1 to server2 fails.
There is nothing in audit.log.
Does anyone have suggestions for constraints or don't audit rules I should look into?


Thanks,
Brian







------------------------------------------------------------------------

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


corenet_tcp_bind_generic_port(DOMAIN)

Will allow you to bind to the first port_t port, IE a port that is not have an SELInux port defined for it. It will dontaudit attempts to bind to ports with SELInux ports defined.


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux