Re: setting that ports httpd can connect to

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Mon, Nov 6, 2023 at 5:47 AM Orion Poplawski <orion@xxxxxxxx> wrote:
On 11/5/23 18:46, Orion Poplawski wrote:
> Would there be any objections to moving the cobbler SELinux policy into
> the Fedora cobbler package as has been done with other packages?

As a follow up:

cobbler is shifting to use a gunicorn started service to provide the
XML-RPC interface that was previously done with a mod_wsgi interface.
So we are going from:

WSGIScriptAliasMatch ^/cblr/svc/([^/]*) @@webroot@@/cobbler/svc/services.py
ProxyPass /cobbler_api http://127.0.0.1:25151/

with port 25151 being defined as the "cobbler" port which the sebool
httpd_can_network_connect_cobbler enables httpd to connect to.

To:

ProxyPass /cblr/svc/ http://localhost:8000/
ProxyPass /cobbler_api http://127.0.0.1:25151/

so now two ports to serve cobbler.

What the current thinking on tuning what httpd can connect to?
Hi Orion,

The 8080 port is assigned the http_cache_port_t type. These booleans are available for httpd:


# sesearch -A -s httpd_t -t http_cache_port_t -c tcp_socket -p name_connect
allow httpd_t http_cache_port_t:tcp_socket name_connect; [ httpd_can_network_relay ]:True
allow httpd_t port_type:tcp_socket name_connect; [ httpd_can_network_connect ]:True

Does that answer your question?


Thanks.

--
Orion Poplawski
he/him/his  - surely the least important thing about me
IT Systems Manager                         720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion@xxxxxxxx
Boulder, CO 80301                 https://www.nwra.com/

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue


--

Zdenek Pytela
Security SELinux team
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux