Re: tor_t: actually allowed tcp ports

[Lukas Vrabec <lvrabec@xxxxxxxxxx>]

On 04/10/2015 04:13 PM, Nusenu wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> > > > > what are the actually allowed TCP ports processes in the
> > > > > tor_t domain are allowed to bind to? (with
> > > > > tor_bind_all_unreserved_ports --> off tor_can_network_relay
> > > > > --> on)
> > > > >
> > > > >
> > > > > semanage gives me: tor_port_t         tcp      6969, 9001,
> > > > > 9030, 9050, 9051, 9150
> > > > >
> > > > > but tor can bind to 80,443 or 9000 without problems. (but
> > > > > for example 5000 is not allowed -> AVCs)
> > > If you need some custom port for tor binding and you won't use
> > > 'tor_bind_all_unreserved_ports' boolean, you could use semanage
> > > tool to label your custom port as tor_port_t. Example: |semanage
> > > port -a -t tor_port_t -p tcp 5000
> That sounds great to allow it to run without allowing more than
> needed, unfortunately it does not work for every port:
>
> ValueError: Port tcp/5000 already defined
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJVJ9pxAAoJEFv7XvVCELh0WtYP/R+BykAepbrd4gvTbQJKawWK
> eFyeAoSpTc7ZuziFWUrfApkvY9gwgJpVCU000emYhh6x5cKpw9PIUa03gqPGo5zL
> uk2QbhbvV1S4RdYR2k1BEDK5FdkA5ajptuTI4xsrRj9KPGrVKPA/4owioS2xXSn1
> bLw7aTMp8QdxOmdvaGLb9hTyOqecQ5FOeJ/jd1ODrR1j9kNFMBD+sqXpOUxFCclv
> dzW4GKS6hbPZ1LQ3kcOK4wJyBa2zZiVDLFb20cYWbsRmFz5vcZjMFrXOo0KEnGqW
> 4iAUbMZEe8ZN9qiS0AIaGaz4l7J/FrbBpuJZ7noeMMR76brMfCr8rPwwcFnLF6G8
> 4JH1P+Z+ATbsrfrVek2IE61duW7egbFqXgf62St8eDrFR4anqetw53LYkIoSkFvW
> tOQrEQCnGy7neX7fcpToULJ0Fqhki8J/NtfDqD0nVodLOOeJxTGm0Q+v2jtD3hg4
> p/M8Kk5P1woMvPn7UDaYTRB68g6M2JUt3x7kbjE5K/7KeIcvML4Ls/wpiLCtzJ4D
> CkPa6HaaDPzRHXqM7ZTV+zvhjSc3PueO4BX8CsL/FF7OTmOJyPm6oqK0kxpJtcG8
> tRZIMmQyq1BE77TFFzd4KX0PuDz+L167jwcXknVghpadwRubu77SMZ66+AYfn379
> fTXLcDY0nY3L/SLiQt5I
> =JNR0
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Hi,
If you need to bind on defined port, there is a way to make "local" 
policy with rule allowing this.
To build local policy follow this:
    1. Generate AVC (in your case tor is binding to port 5000)
    2. Store this AVC in some file. (like tor_local.txt)
    3. use: $ cat ./tor_local.txt | audit2allow -M tor_local
    4. use: # semodule -i tor_local.pp

Now tor_t domain can bind to port 5000.

Last thing, be careful with this. Make local policies when you know what 
you are allowing due to security reasons.

--

Thank you.

--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux