On 02.08.2019 01:53, Jayson Hurst wrote: > I am running into an issue using a 2fa binary through a squid proxy. > I am writing the selinux policy for the 2fa binary, but when when I > attempt to access the system via ssh I am seeing the following AVC > > type=AVC msg=audit(1564694436.236:1003): avc: denied { name_connect > } for pid=30620 comm="starling" dest=3128 > scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:squid_port_t:s0 tclass=tcp_socket > permissive=0 > > The following will fix it for the squid proxy: > > corenet_tcp_connect_squid_port(sshd_t) > > but what if tomorrow I decide to use a different proxy, that uses a > different port. What is the correct way to set this up so that > regardless of what proxy is being used on whatever port I don't have > to update my policy every time? No clear solution, but you could use "sesearch" and "semanage port" to get further. sesearch can list all port types to which sshd may connect: # sesearch -s sshd_t --allow -c tcp_socket -p name_connect Found 10 semantic av rules: allow sshd_t pki_ca_port_t : tcp_socket { name_bind name_connect } ; allow sshd_t port_type : tcp_socket { recv_msg send_msg name_connect } ; allow sshd_t ldap_port_t : tcp_socket { recv_msg send_msg name_connect } ; allow sshd_t dns_port_t : tcp_socket { recv_msg send_msg name_connect } ; allow sshd_t portmap_port_t : tcp_socket name_connect ; allow daemon auth_port_t : tcp_socket name_connect ; allow sshd_t port_t : tcp_socket { name_bind name_connect } ; allow sshd_t reserved_port_type : tcp_socket name_connect ; allow sshd_t kerberos_port_t : tcp_socket { recv_msg send_msg name_connect } ; allow sshd_t ocsp_port_t : tcp_socket name_connect ; You can use "semanage port" to assign port numbers to to port types. The problem here is that no proxy server port types are in the list. But I think the second rule listed above, mentioning "port_type" allows sshd to connect to any port type derived from "port_type". Does semanage port -a -t port_type -p tcp 3128 work? I didn't test it, but it may be worth a try. Regards Michael
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx