On 05/18/2009 12:37 PM, Brian Ginn wrote:
Thanks!
For the listining ports, I've done that.
For the connecting ports, I pick a random port between 1025..65535, call connect() then if the port
is in use, increment the port number and try again.
Up until selinex, "permission denied" has not been a connect() error that I've had to deal with.
I could change it so that "permission denied" also results in incrementing the port number and
retrying connect().
... however looking at the results of 'semanage port -l', most of those ports aren't used by the
selinux domains they are registered for.
When "hardening" a system, we make sure that various un-needed network services are not installed.
Should we also remove selinux policy (and port registration) for those services?
Thanks,
Brian
________________________________________
From: Daniel J Walsh [dwalsh@xxxxxxxxxx]
Sent: Saturday, May 16, 2009 4:49 AM
To: Brian Ginn
Cc: 'fedora-selinux-list@xxxxxxxxxx'
Subject: Re: network failures maybe SELinux related?
On 05/15/2009 05:48 PM, Brian Ginn wrote:
corenet_tcp_bind_all_ports() seems to have solved my problems.
On what domain? This will allow that domain to bind to any port, if you
know what port you want to listen on, you might be able to add the port
using
semanage port -a -t MISTERYDOMAIN_port_t -p tcp PORTNUMBER
-Brian
From: Brian Ginn
Sent: Friday, May 15, 2009 1:44 PM
To: 'fedora-selinux-list@xxxxxxxxxx'
Subject: network failures maybe SELinux related?
I have a client app run by users, and two server apps run from xinetd.
The client connects to server1
Server1 connects to server2
Server2 connects back to the client app
When not confined by SELinux policy. Everything works fine.
I can run several hundred iterations without any failures.
When confined, but run in permissive mode, Everything works fine. - nothing in audit.log
When confined and enforced, it works a few times, then the connection from server1 to server2 fails.
Then, after a rest, it works a few times, then the connection from server1 to server2 fails.
There is nothing in audit.log.
Does anyone have suggestions for constraints or don't audit rules I should look into?
Thanks,
Brian
------------------------------------------------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
corenet_tcp_bind_generic_port(DOMAIN)
Will allow you to bind to the first port_t port, IE a port that is not
have an SELInux port defined for it. It will dontaudit attempts to bind
to ports with SELInux ports defined.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list