binding and listening to port work with SELinux, but the process is unable receive data from clients

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear Members,

Sorry for bothering you with my questions but I am kind of stuck with my problem, that's why I turn to you now.

I am in the process of creating a SELinux policy for a software module, of a larger application.
The module is simply a server, that listens on a port, and forwards the received information through a Unix domain socket to the main application.
I got most parts of the policy right by now, in the sense that the module can start, and I don't see any AVC denied entries in the SELinux audit log.

The relevant parts of my policy are the following (I have substituted the module's name with ABCD):

type ABCD_t;
type ABCD_port_t;

corenet_port(ABCD_port_t);

corenet_tcp_bind_generic_node(ABCD_t);
corenet_tcp_sendrecv_generic_node(ABCD_t);
corenet_tcp_sendrecv_generic_if(ABCD_t);
allow ABCD_t ABCD_port_t:tcp_socket { name_bind };

allow ABCD_t self:unix_dgram_socket { create connect getattr setopt };
allow ABCD_t self:tcp_socket { accept bind create getattr listen setopt };



In the policy builder script also use

semanage port -a -t ABCD_port_t -p tcp 1234 2>/dev/null || semanage port -m -t ABCD_port_t -p tcp 1234 2>/dev/null


What I see with my current policy (with SELinux in Enforcing mode), is that the module starts up seemingly okay, it binds to the appropriate port, but see errors like this:

2019-03-19T16:08:14.314+0100    ERROR   HTTP server     error when serving connection "172.16.0.90:5986"<->"172.16.0.92:53952": error when reading request headers: read tcp4 172.16.0.90:5986->172.16.0.92:53952: read: permission denied
2019-03-19T16:08:14.315+0100    ERROR   HTTP server     error when serving connection "172.16.0.90:5986"<->"172.16.0.92:53953": error when reading request headers: read tcp4 172.16.0.90:5986->172.16.0.92:53953: read: permission denied



In addition to this, I see nothing in the SELinux audit log, and when I put SELinux in permissive mode, things start working again.
I am puzzled at this point why I'm not seeing anything in audit.log. If it is in deed SELinux that's blocking the read attempts, then there should be some information about that. Right?

Thank you for your help!

Best Regards,
János Szigetvári
--
Janos SZIGETVARI
RHCE, License no. 150-053-692

LinkedIn: linkedin.com/in/janosszigetvari
E-mail: janos@xxxxxxxxxxxxxx, jszigetvari@xxxxxxxxx
Phone: +36209440412 (Hungary)

__@__˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux