|Main Archive Page > Month Archives > fedora-selinux archives|
On 05/18/2009 12:37 PM, Brian Ginn wrote:
> For the listining ports, I've done that.
> For the connecting ports, I pick a random port between 1025..65535, call connect() then if the port
> is in use, increment the port number and try again.
> Up until selinex, "permission denied" has not been a connect() error that I've had to deal with.
> I could change it so that "permission denied" also results in incrementing the port number and
> retrying connect().
> ... however looking at the results of 'semanage port -l', most of those ports aren't used by the
> selinux domains they are registered for.
> When "hardening" a system, we make sure that various un-needed network services are not installed.
> Should we also remove selinux policy (and port registration) for those services?
> From: Daniel J Walsh [firstname.lastname@example.org]
> Sent: Saturday, May 16, 2009 4:49 AM
> To: Brian Ginn
> Cc: 'email@example.com'
> Subject: Re: network failures maybe SELinux related?
> On 05/15/2009 05:48 PM, Brian Ginn wrote:
>> corenet_tcp_bind_all_ports() seems to have solved my problems.
> On what domain? This will allow that domain to bind to any port, if you
> know what port you want to listen on, you might be able to add the port
> semanage port -a -t MISTERYDOMAIN_port_t -p tcp PORTNUMBER
>> From: Brian Ginn
>> Sent: Friday, May 15, 2009 1:44 PM
>> To: 'firstname.lastname@example.org'
>> Subject: network failures maybe SELinux related?
>> I have a client app run by users, and two server apps run from xinetd.
>> The client connects to server1
>> Server1 connects to server2
>> Server2 connects back to the client app
>> When not confined by SELinux policy. Everything works fine.
>> I can run several hundred iterations without any failures.
>> When confined, but run in permissive mode, Everything works fine. - nothing in audit.log
>> When confined and enforced, it works a few times, then the connection from server1 to server2 fails.
>> Then, after a rest, it works a few times, then the connection from server1 to server2 fails.
>> There is nothing in audit.log.
>> Does anyone have suggestions for constraints or don't audit rules I should look into?
>> fedora-selinux-list mailing list
Will allow you to bind to the first port_t port, IE a port that is not have an SELInux port defined for it. It will dontaudit attempts to bind to ports with SELInux ports defined. -- fedora-selinux-list mailing list email@example.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list