Why not just run all possible proxies now, or a large subset of them, and open up those avcs?
I am running into an issue using a 2fa binary through a squid proxy. I am writing the selinux policy for the 2fa binary, but when when I attempt to access the system via ssh I am seeing the following AVC
type=AVC msg=audit(1564694436.236:1003): avc: denied { name_connect } for pid=30620 comm="starling" dest=3128 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:squid_port_t:s0 tclass=tcp_socket permissive=0
The following will fix it for the squid proxy:
corenet_tcp_connect_squid_port(sshd_t)
but what if tomorrow I decide to use a different proxy, that uses a different port. What is the correct way to set this up so that regardless of what proxy is being used on whatever port I don't have to update my policy every time?
Thanks,
Jayson
|
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
