Re: tor_t: actually allowed tcp ports

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


> If you need to bind on defined port, there is a way to make "local"
>  policy with rule allowing this. To build local policy follow this:
> 1. Generate AVC (in your case tor is binding to port 5000) 2. Store
> this AVC in some file. (like tor_local.txt) 3. use: $ cat
> ./tor_local.txt | audit2allow -M tor_local 4. use: # semodule -i
> tor_local.pp

I'm aware of this process but it is not applicable in an
ansible role [1] (my use case).

> Last thing, be careful with this. Make local policies when you
> know what you are allowing due to security reasons.

Yes, you definitely don't want to perform this blindly and automatically
.


I would have no problem running
semanage port -a ... $port
since the user's selected tor ports are obviously available - that would
have been a neat solution to create tailored SELinux adjustment without
the user even noticing and still working out of the box with arbitrary
ports. Probably to nice to actually work.

[1] https://github.com/nusenu/ansible-relayor




-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVLCVfAAoJEFv7XvVCELh0oY0P/0TcVMtpg/e6V8CluAybMhBv
x4YDMWCYzZ6gfYFOig/B1m1TemOuopfmAlwgb0O87LWwnVG3+LNrnC3Cm/+D5LhQ
TdUFsnRV101LbeyDbf4nVnc0Pw35m9zC9E9IA3MZCBrnou8AosXBqMigAPMQUGdA
cQzM1hMdWaVy7fEt80W6Wq8YtlhnNeFe7qpOUbELMOEkAmZG0UMh9lHHOwhfZlFE
W/2qBFTC5ImvMJKMZ8oVGs+RSKUkVny3dOebCvvKvmsxJzFxVraIHKMax7RecVbT
Td70u1Ulke9BqlzI9si2cPH33xbbqeV0pkqmXBKoeHNJugxtpEcGnWYAEEAH0Qiw
P9JxJyXGgonj/Au8eXizxXGv7+pfJG/us8bRmEAFUnpxYYJe12zczDcpwGwEn/71
puwQgDMfUODHRt9Mj/LJX5kC9dqPij4BHgVdGEvPBEgqZeBsLkWC460aGspXap0O
XXmAz2Aw1QILM5PXgybhmlmZeQW3jhKq1LsUl9vHXHgJ0I0Ry10LLcgDTtJ2FIGv
NKlR6j91PI9wtzf5DkUuL8Rgj15ITlZVBwmEpWK3Pde4PqoBz4OJbzjYbWshh3KV
LuZGTUaI+Y4ef3Y7cJ2a58GZ+1vHfep7f9WMH+XeYzVbN1MHYQHylzAfzk/YM6Wt
smkiTlosQ4+lTIdDFZWz
=rFg3
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux