Re: binding and listening to port work with SELinux, but the process is unable receive data from clients

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 19.03.2019 21:23, SZIGETVÁRI János wrote:
Dear Members,

Sorry for bothering you with my questions but I am kind of stuck with my problem, that's why I turn to you now.

I am in the process of creating a SELinux policy for a software module, of a larger application. The module is simply a server, that listens on a port, and forwards the received information through a Unix domain socket to the main application. I got most parts of the policy right by now, in the sense that the module can start, and I don't see any AVC denied entries in the SELinux audit log.

The relevant parts of my policy are the following (I have substituted the module's name with ABCD):

type ABCD_t;
type ABCD_port_t;

corenet_port(ABCD_port_t);

corenet_tcp_bind_generic_node(ABCD_t);
corenet_tcp_sendrecv_generic_node(ABCD_t);
corenet_tcp_sendrecv_generic_if(ABCD_t);
allow ABCD_t ABCD_port_t:tcp_socket { name_bind };

allow ABCD_t self:unix_dgram_socket { create connect getattr setopt };
allow ABCD_t self:tcp_socket { accept bind create getattr listen setopt };


In the policy builder script also use

semanage port -a -t ABCD_port_t -p tcp 1234 2>/dev/null || semanage port -m -t ABCD_port_t -p tcp 1234 2>/dev/null


What I see with my current policy (with SELinux in Enforcing mode), is that the module starts up seemingly okay, it binds to the appropriate port, but see errors like this:

2019-03-19T16:08:14.314+0100    ERROR   HTTP server     error when serving connection "172.16.0.90:5986 <http://172.16.0.90:5986>"<->"172.16.0.92:53952 <http://172.16.0.92:53952>": error when reading request headers: read tcp4 172.16.0.90:5986->172.16.0.92:53952 <http://172.16.0.92:53952>: read: permission denied 2019-03-19T16:08:14.315+0100    ERROR   HTTP server     error when serving connection "172.16.0.90:5986 <http://172.16.0.90:5986>"<->"172.16.0.92:53953 <http://172.16.0.92:53953>": error when reading request headers: read tcp4 172.16.0.90:5986->172.16.0.92:53953 <http://172.16.0.92:53953>: read: permission denied


In addition to this, I see nothing in the SELinux audit log, and when I put SELinux in permissive mode, things start working again. I am puzzled at this point why I'm not seeing anything in audit.log. If it is in deed SELinux that's blocking the read attempts, then there should be some information about that. Right?


You may try to disable DONTAUDIT rules temporarily and see if you receive any clues in the audit log:

semodule -DB

Then you are done turn it off:

semodule -B
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux