Re: setting that ports httpd can connect to

Zdenek Pytela <zpytela@xxxxxxxxxx> · Mon, 13 Nov 2023 10:04:38 +0100

On Mon, Nov 6, 2023 at 5:47 AM Orion Poplawski <orion@xxxxxxxx> wrote:
On 11/5/23 18:46, Orion Poplawski wrote:

> Would there be any objections to moving the cobbler SELinux policy into 

> the Fedora cobbler package as has been done with other packages?

As a follow up:

cobbler is shifting to use a gunicorn started service to provide the 

XML-RPC interface that was previously done with a mod_wsgi interface. 

So we are going from:

WSGIScriptAliasMatch ^/cblr/svc/([^/]*) @@webroot@@/cobbler/svc/services.py

ProxyPass /cobbler_api http://127.0.0.1:25151/

with port 25151 being defined as the "cobbler" port which the sebool 

httpd_can_network_connect_cobbler enables httpd to connect to.

To:

ProxyPass /cblr/svc/ http://localhost:8000/

ProxyPass /cobbler_api http://127.0.0.1:25151/

so now two ports to serve cobbler.

What the current thinking on tuning what httpd can connect to?
Hi Orion,

The 8080 port is assigned the http_cache_port_t type. These booleans are available for httpd:

# sesearch -A -s httpd_t -t http_cache_port_t -c tcp_socket -p name_connect

allow httpd_t http_cache_port_t:tcp_socket name_connect; [ httpd_can_network_relay ]:True

allow httpd_t port_type:tcp_socket name_connect; [ httpd_can_network_connect ]:True

Does that answer your question?

Thanks.

-- 

Orion Poplawski

he/him/his  - surely the least important thing about me

IT Systems Manager                         720-772-5637

NWRA, Boulder/CoRA Office             FAX: 303-415-9702

3380 Mitchell Lane                       orion@xxxxxxxx

Boulder, CO 80301                 https://www.nwra.com/

_______________________________________________

selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx

To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx

Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

-- 

Zdenek Pytela
Security SELinux team
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue