|
On 04/07/2015 09:03 AM, Miroslav Grepl
wrote:
If you need some custom port for tor binding and you won't use 'tor_bind_all_unreserved_ports' boolean, you could use semanage tool to label your custom port as tor_port_t.-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04/06/2015 08:33 PM, Nusenu wrote:Hi, what are the actually allowed TCP ports processes in the tor_t domain are allowed to bind to? (with tor_bind_all_unreserved_ports --> off tor_can_network_relay --> on) semanage gives me: tor_port_t tcp 6969, 9001, 9030, 9050, 9051, 9150 but tor can bind to 80,443 or 9000 without problems. (but for example 5000 is not allowed -> AVCs) Example: semanage port -a -t tor_port_t -p tcp 5000
Used policy version: selinux-policy-targeted-3.13.1-23.el7.noarch Is there already a boolean that allows enabling to arbitrary ports as suggested here: https://bugzilla.redhat.com/show_bug.cgi?id=544546#c5 You can use sesearch to check it $ sesearch -A -s tor_t -p tcp_socket -p name_bind -C Or you can use sepolicy which gets you what you want to see $ sepolicy network -d tor_tthanks, Nusenu -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux- -- Miroslav Grepl Software Engineering, SELinux Solutions Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVI4ErAAoJENrcHks50T0J+8IH/3ca/bcT//RKsxjK8GFC7BMt WXR3c7KpxUk2Niy99GQo8fBR2FIJ0yfH2Y4TaiH9oVdew3odr7mEn4vBdya1C9A6 v283qSr9/BlPHvBk9msjjtRKryagi81XnU5C1EHF6eJQScyfnxE2pLuSBD3q2oZa asawW1I0iwkri6BwWq9D5i40ISf4gqoHV9zA9j408sdahS8h38sq0PVrwVMMxakz 7Arlj33aXOij08ZWiISjB+sch0UD1zoX3jfiLiOMbTqHNuRisUz0PUAFCjoF7i5y TOXTJE+kXVlnzqWPeYrWBl3Gak+QaoGx7HXGk7Kc1f++bfSl3plSyGH9xkxmimY= =uVaE -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux -- Thank you. -- Lukas Vrabec SELinux Solutions Red Hat, Inc. |
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
