Re: SElinux and proxies

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Why not just run all possible proxies now, or a large subset of them, and open up those avcs?

On Aug 1, 2019, at 7:04 PM, Jayson Hurst <swazup@xxxxxxxxxxx> wrote:

I am running into an issue using a 2fa binary through a squid proxy. I am writing the selinux policy for the 2fa binary, but when when I attempt to access the system via ssh I am seeing the following AVC

type=AVC msg=audit(1564694436.236:1003): avc:  denied  { name_connect } for  pid=30620 comm="starling" dest=3128 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:squid_port_t:s0 tclass=tcp_socket permissive=0

The following will fix it for the squid proxy:

corenet_tcp_connect_squid_port(sshd_t)

but what if tomorrow I decide to use a different proxy, that uses a different port. What is the correct way to set this up so that regardless of what proxy is being used on whatever port I don't have to update my policy every time?

Thanks,

Jayson

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux