Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   SELinux module to allow a single network port? (http://www.linux-archive.org/fedora-selinux-support/56536-selinux-module-allow-single-network-port.html)

Chris Adams 02-15-2008 04:03 PM

SELinux module to allow a single network port?
 
I originally posted this to the RHEL5 list, but someone pointed me to
this list (I didn't realize there was an SELinux list).

I have done some minor SELinux customizations with a module, and now I'm
trying to do something a little more complicated.

I want to allow a CGI to do a "whois" lookup. It is a perl script that
is attempting to open a TCP socket to port 43. I ran audit2allow, but I
think the generated rule allows CGIs to open outbound sockets to any
port. I'd rather just allow TCP to port 43.

I don't see a defined whois port type, and I don't know quite how to
define it myself in a module.

Help?

--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Stephen Smalley 02-15-2008 05:26 PM

SELinux module to allow a single network port?
 
On Fri, 2008-02-15 at 11:03 -0600, Chris Adams wrote:
> I originally posted this to the RHEL5 list, but someone pointed me to
> this list (I didn't realize there was an SELinux list).
>
> I have done some minor SELinux customizations with a module, and now I'm
> trying to do something a little more complicated.
>
> I want to allow a CGI to do a "whois" lookup. It is a perl script that
> is attempting to open a TCP socket to port 43. I ran audit2allow, but I
> think the generated rule allows CGIs to open outbound sockets to any
> port. I'd rather just allow TCP to port 43.
>
> I don't see a defined whois port type, and I don't know quite how to
> define it myself in a module.
>
> Help?

Possibly something like this:

$ vi whois.te
policy_module(whois, 1.0)
type whois_port_t, port_type;
:wq
$ make -f /usr/share/selinux/devel/Makefile whois.pp
$ su
# semodule -i whois.pp
# semanage port -a -t whois_port_t -p tcp 43

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Stephen Smalley 02-15-2008 05:33 PM

SELinux module to allow a single network port?
 
On Fri, 2008-02-15 at 13:26 -0500, Stephen Smalley wrote:
> On Fri, 2008-02-15 at 11:03 -0600, Chris Adams wrote:
> > I originally posted this to the RHEL5 list, but someone pointed me to
> > this list (I didn't realize there was an SELinux list).
> >
> > I have done some minor SELinux customizations with a module, and now I'm
> > trying to do something a little more complicated.
> >
> > I want to allow a CGI to do a "whois" lookup. It is a perl script that
> > is attempting to open a TCP socket to port 43. I ran audit2allow, but I
> > think the generated rule allows CGIs to open outbound sockets to any
> > port. I'd rather just allow TCP to port 43.
> >
> > I don't see a defined whois port type, and I don't know quite how to
> > define it myself in a module.
> >
> > Help?
>
> Possibly something like this:
>
> $ vi whois.te
> policy_module(whois, 1.0)

You'd also need a require statement here, ala:
require {
attribute port_type;
}

> type whois_port_t, port_type;
> :wq
> $ make -f /usr/share/selinux/devel/Makefile whois.pp
> $ su
> # semodule -i whois.pp
> # semanage port -a -t whois_port_t -p tcp 43
>
--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Chris Adams 02-15-2008 06:16 PM

SELinux module to allow a single network port?
 
Once upon a time, Stephen Smalley <sds@tycho.nsa.gov> said:
> # semanage port -a -t whois_port_t -p tcp 43

This was the part I was missing; I have it working now. Thanks!
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


All times are GMT. The time now is 09:20 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.