Dear Members,
Sorry for bothering you with my questions but I am kind of stuck with my problem, that's why I turn to you now.
I am in the process of creating a SELinux policy for a software module, of a larger application.
The module is simply a server, that listens on a port, and forwards the received information through a Unix domain socket to the main application.
I got most parts of the policy right by now, in the sense that the module can start, and I don't see any AVC denied entries in the SELinux audit log.
The relevant parts of my policy are the following (I have substituted the module's name with ABCD):
type ABCD_t;
type ABCD_port_t;
corenet_port(ABCD_port_t);
corenet_tcp_bind_generic_node(ABCD_t);
corenet_tcp_sendrecv_generic_node(ABCD_t);
corenet_tcp_sendrecv_generic_if(ABCD_t);
allow ABCD_t ABCD_port_t:tcp_socket { name_bind };
allow ABCD_t self:unix_dgram_socket { create connect getattr setopt };
allow ABCD_t self:tcp_socket { accept bind create getattr listen setopt };
type ABCD_port_t;
corenet_port(ABCD_port_t);
corenet_tcp_bind_generic_node(ABCD_t);
corenet_tcp_sendrecv_generic_node(ABCD_t);
corenet_tcp_sendrecv_generic_if(ABCD_t);
allow ABCD_t ABCD_port_t:tcp_socket { name_bind };
allow ABCD_t self:unix_dgram_socket { create connect getattr setopt };
allow ABCD_t self:tcp_socket { accept bind create getattr listen setopt };
In the policy builder script also use
semanage port -a -t ABCD_port_t -p tcp 1234 2>/dev/null || semanage port -m -t ABCD_port_t -p tcp 1234 2>/dev/null
What I see with my current policy (with SELinux in Enforcing mode), is that the module starts up seemingly okay, it binds to the appropriate port, but see errors like this:
2019-03-19T16:08:14.314+0100 ERROR HTTP server error when serving connection "172.16.0.90:5986"<->"172.16.0.92:53952": error when reading request headers: read tcp4 172.16.0.90:5986->172.16.0.92:53952: read: permission denied
2019-03-19T16:08:14.315+0100 ERROR HTTP server error when serving connection "172.16.0.90:5986"<->"172.16.0.92:53953": error when reading request headers: read tcp4 172.16.0.90:5986->172.16.0.92:53953: read: permission denied
2019-03-19T16:08:14.315+0100 ERROR HTTP server error when serving connection "172.16.0.90:5986"<->"172.16.0.92:53953": error when reading request headers: read tcp4 172.16.0.90:5986->172.16.0.92:53953: read: permission denied
In addition to this, I see nothing in the SELinux audit log, and when I put SELinux in permissive mode, things start working again.
I am puzzled at this point why I'm not seeing anything in audit.log. If it is in deed SELinux that's blocking the read attempts, then there should be some information about that. Right?
Thank you for your help!
Best Regards,
János Szigetvári
--
LinkedIn: linkedin.com/in/janosszigetvari
E-mail: janos@xxxxxxxxxxxxxx, jszigetvari@xxxxxxxxx
Phone: +36209440412 (Hungary)
__@__˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
E-mail: janos@xxxxxxxxxxxxxx, jszigetvari@xxxxxxxxx
Phone: +36209440412 (Hungary)
__@__˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
