On 19.03.2019 21:23, SZIGETVÁRI János wrote:
Dear Members,
Sorry for bothering you with my questions but I am kind of stuck with my
problem, that's why I turn to you now.
I am in the process of creating a SELinux policy for a software module,
of a larger application.
The module is simply a server, that listens on a port, and forwards the
received information through a Unix domain socket to the main application.
I got most parts of the policy right by now, in the sense that the
module can start, and I don't see any AVC denied entries in the SELinux
audit log.
The relevant parts of my policy are the following (I have substituted
the module's name with ABCD):
type ABCD_t;
type ABCD_port_t;
corenet_port(ABCD_port_t);
corenet_tcp_bind_generic_node(ABCD_t);
corenet_tcp_sendrecv_generic_node(ABCD_t);
corenet_tcp_sendrecv_generic_if(ABCD_t);
allow ABCD_t ABCD_port_t:tcp_socket { name_bind };
allow ABCD_t self:unix_dgram_socket { create connect getattr setopt };
allow ABCD_t self:tcp_socket { accept bind create getattr listen setopt };
In the policy builder script also use
semanage port -a -t ABCD_port_t -p tcp 1234 2>/dev/null || semanage port
-m -t ABCD_port_t -p tcp 1234 2>/dev/null
What I see with my current policy (with SELinux in Enforcing mode), is
that the module starts up seemingly okay, it binds to the appropriate
port, but see errors like this:
2019-03-19T16:08:14.314+0100 ERROR HTTP server error when
serving connection "172.16.0.90:5986
<http://172.16.0.90:5986>"<->"172.16.0.92:53952
<http://172.16.0.92:53952>": error when reading request headers: read
tcp4 172.16.0.90:5986->172.16.0.92:53952 <http://172.16.0.92:53952>:
read: permission denied
2019-03-19T16:08:14.315+0100 ERROR HTTP server error when
serving connection "172.16.0.90:5986
<http://172.16.0.90:5986>"<->"172.16.0.92:53953
<http://172.16.0.92:53953>": error when reading request headers: read
tcp4 172.16.0.90:5986->172.16.0.92:53953 <http://172.16.0.92:53953>:
read: permission denied
In addition to this, I see nothing in the SELinux audit log, and when I
put SELinux in permissive mode, things start working again.
I am puzzled at this point why I'm not seeing anything in audit.log. If
it is in deed SELinux that's blocking the read attempts, then there
should be some information about that. Right?
You may try to disable DONTAUDIT rules temporarily and see if you
receive any clues in the audit log:
semodule -DB
Then you are done turn it off:
semodule -B
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
