Re: tor_t: actually allowed tcp ports

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 04/10/2015 04:13 PM, Nusenu wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

what are the actually allowed TCP ports processes in the
tor_t domain are allowed to bind to? (with
tor_bind_all_unreserved_ports --> off tor_can_network_relay
--> on)


semanage gives me: tor_port_t         tcp      6969, 9001,
9030, 9050, 9051, 9150

but tor can bind to 80,443 or 9000 without problems. (but
for example 5000 is not allowed -> AVCs)
If you need some custom port for tor binding and you won't use
'tor_bind_all_unreserved_ports' boolean, you could use semanage
tool to label your custom port as tor_port_t. Example: |semanage
port -a -t tor_port_t -p tcp 5000
That sounds great to allow it to run without allowing more than
needed, unfortunately it does not work for every port:

ValueError: Port tcp/5000 already defined
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVJ9pxAAoJEFv7XvVCELh0WtYP/R+BykAepbrd4gvTbQJKawWK
eFyeAoSpTc7ZuziFWUrfApkvY9gwgJpVCU000emYhh6x5cKpw9PIUa03gqPGo5zL
uk2QbhbvV1S4RdYR2k1BEDK5FdkA5ajptuTI4xsrRj9KPGrVKPA/4owioS2xXSn1
bLw7aTMp8QdxOmdvaGLb9hTyOqecQ5FOeJ/jd1ODrR1j9kNFMBD+sqXpOUxFCclv
dzW4GKS6hbPZ1LQ3kcOK4wJyBa2zZiVDLFb20cYWbsRmFz5vcZjMFrXOo0KEnGqW
4iAUbMZEe8ZN9qiS0AIaGaz4l7J/FrbBpuJZ7noeMMR76brMfCr8rPwwcFnLF6G8
4JH1P+Z+ATbsrfrVek2IE61duW7egbFqXgf62St8eDrFR4anqetw53LYkIoSkFvW
tOQrEQCnGy7neX7fcpToULJ0Fqhki8J/NtfDqD0nVodLOOeJxTGm0Q+v2jtD3hg4
p/M8Kk5P1woMvPn7UDaYTRB68g6M2JUt3x7kbjE5K/7KeIcvML4Ls/wpiLCtzJ4D
CkPa6HaaDPzRHXqM7ZTV+zvhjSc3PueO4BX8CsL/FF7OTmOJyPm6oqK0kxpJtcG8
tRZIMmQyq1BE77TFFzd4KX0PuDz+L167jwcXknVghpadwRubu77SMZ66+AYfn379
fTXLcDY0nY3L/SLiQt5I
=JNR0
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

Hi,
If you need to bind on defined port, there is a way to make "local" policy with rule allowing this.
To build local policy follow this:
    1. Generate AVC (in your case tor is binding to port 5000)
    2. Store this AVC in some file. (like tor_local.txt)
    3. use: $ cat ./tor_local.txt | audit2allow -M tor_local
    4. use: # semodule -i tor_local.pp

Now tor_t domain can bind to port 5000.

Last thing, be careful with this. Make local policies when you know what you are allowing due to security reasons.

--

Thank you.

--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux