Dear Oleg,
Thank you, that seems to have done the trick.
The necessary modifications for the policy were the following:
allow ABCD_t self:unix_dgram_socket { create connect getattr setopt read write };
allow ABCD_t self:tcp_socket { accept bind create getattr listen setopt read write };
allow ABCD_t self:tcp_socket { accept bind create getattr listen setopt read write };
Thanks again!
Best Regards,
János Szigetvári
--
LinkedIn: linkedin.com/in/janosszigetvari
E-mail: janos@xxxxxxxxxxxxxx, jszigetvari@xxxxxxxxx
Phone: +36209440412 (Hungary)
__@__˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
E-mail: janos@xxxxxxxxxxxxxx, jszigetvari@xxxxxxxxx
Phone: +36209440412 (Hungary)
__@__˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
Oleg Cherkasov <o1e9.cherkasov@xxxxxxxxxx> ezt írta (időpont: 2019. márc. 19., K, 21:37):
On 19.03.2019 21:23, SZIGETVÁRI János wrote:
> Dear Members,
>
> Sorry for bothering you with my questions but I am kind of stuck with my
> problem, that's why I turn to you now.
>
> I am in the process of creating a SELinux policy for a software module,
> of a larger application.
> The module is simply a server, that listens on a port, and forwards the
> received information through a Unix domain socket to the main application.
> I got most parts of the policy right by now, in the sense that the
> module can start, and I don't see any AVC denied entries in the SELinux
> audit log.
>
> The relevant parts of my policy are the following (I have substituted
> the module's name with ABCD):
>
> type ABCD_t;
> type ABCD_port_t;
>
> corenet_port(ABCD_port_t);
>
> corenet_tcp_bind_generic_node(ABCD_t);
> corenet_tcp_sendrecv_generic_node(ABCD_t);
> corenet_tcp_sendrecv_generic_if(ABCD_t);
> allow ABCD_t ABCD_port_t:tcp_socket { name_bind };
>
> allow ABCD_t self:unix_dgram_socket { create connect getattr setopt };
> allow ABCD_t self:tcp_socket { accept bind create getattr listen setopt };
>
>
> In the policy builder script also use
>
> semanage port -a -t ABCD_port_t -p tcp 1234 2>/dev/null || semanage port
> -m -t ABCD_port_t -p tcp 1234 2>/dev/null
>
>
> What I see with my current policy (with SELinux in Enforcing mode), is
> that the module starts up seemingly okay, it binds to the appropriate
> port, but see errors like this:
>
> 2019-03-19T16:08:14.314+0100 ERROR HTTP server error when
> serving connection "172.16.0.90:5986
> <http://172.16.0.90:5986>"<->"172.16.0.92:53952
> <http://172.16.0.92:53952>": error when reading request headers: read
> tcp4 172.16.0.90:5986->172.16.0.92:53952 <http://172.16.0.92:53952>:
> read: permission denied
> 2019-03-19T16:08:14.315+0100 ERROR HTTP server error when
> serving connection "172.16.0.90:5986
> <http://172.16.0.90:5986>"<->"172.16.0.92:53953
> <http://172.16.0.92:53953>": error when reading request headers: read
> tcp4 172.16.0.90:5986->172.16.0.92:53953 <http://172.16.0.92:53953>:
> read: permission denied
>
>
> In addition to this, I see nothing in the SELinux audit log, and when I
> put SELinux in permissive mode, things start working again.
> I am puzzled at this point why I'm not seeing anything in audit.log. If
> it is in deed SELinux that's blocking the read attempts, then there
> should be some information about that. Right?
>
You may try to disable DONTAUDIT rules temporarily and see if you
receive any clues in the audit log:
semodule -DB
Then you are done turn it off:
semodule -B
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx