Re: SElinux and proxies

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 02.08.2019 01:53, Jayson Hurst wrote:
> I am running into an issue using a 2fa binary through a squid proxy.
> I am writing the selinux policy for the 2fa binary, but when when I
> attempt to access the system via ssh I am seeing the following AVC
> 
> type=AVC msg=audit(1564694436.236:1003): avc:  denied  { name_connect
> } for  pid=30620 comm="starling" dest=3128
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:squid_port_t:s0 tclass=tcp_socket
> permissive=0
> 
> The following will fix it for the squid proxy:
> 
> corenet_tcp_connect_squid_port(sshd_t)
> 
> but what if tomorrow I decide to use a different proxy, that uses a
> different port. What is the correct way to set this up so that
> regardless of what proxy is being used on whatever port I don't have
> to update my policy every time?
No clear solution, but you could use "sesearch" and "semanage port" to
get further.

sesearch can list all port types to which sshd may connect:

# sesearch -s sshd_t --allow -c tcp_socket -p name_connect
Found 10 semantic av rules:
   allow sshd_t pki_ca_port_t : tcp_socket { name_bind name_connect } ;
   allow sshd_t port_type : tcp_socket { recv_msg send_msg name_connect } ;
   allow sshd_t ldap_port_t : tcp_socket { recv_msg send_msg
name_connect } ;
   allow sshd_t dns_port_t : tcp_socket { recv_msg send_msg name_connect } ;
   allow sshd_t portmap_port_t : tcp_socket name_connect ;
   allow daemon auth_port_t : tcp_socket name_connect ;
   allow sshd_t port_t : tcp_socket { name_bind name_connect } ;
   allow sshd_t reserved_port_type : tcp_socket name_connect ;
   allow sshd_t kerberos_port_t : tcp_socket { recv_msg send_msg
name_connect } ;
   allow sshd_t ocsp_port_t : tcp_socket name_connect ;

You can use "semanage port" to assign port numbers to to port types.
The problem here is that no proxy server port types are in the list.

But I think the second rule listed above, mentioning "port_type" allows
sshd to connect to any port type derived from "port_type".  Does

semanage port -a -t port_type -p tcp 3128

work?  I didn't test it, but it may be worth a try.

Regards
 Michael

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux