fedora-selinux May 2009 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: network failures maybe SELinux related?

Re: network failures maybe SELinux related?

From: Daniel J Walsh <dwalsh_at_nospam>
Date: Mon May 18 2009 - 17:49:58 GMT
To: Brian Ginn <BGinn@symark.com>


On 05/18/2009 12:37 PM, Brian Ginn wrote:
> Thanks!
>
> For the listining ports, I've done that.
> For the connecting ports, I pick a random port between 1025..65535, call connect() then if the port
> is in use, increment the port number and try again.
>
> Up until selinex, "permission denied" has not been a connect() error that I've had to deal with.
> I could change it so that "permission denied" also results in incrementing the port number and
> retrying connect().
> ... however looking at the results of 'semanage port -l', most of those ports aren't used by the
> selinux domains they are registered for.
>
> When "hardening" a system, we make sure that various un-needed network services are not installed.
> Should we also remove selinux policy (and port registration) for those services?
>
>
> Thanks,
> Brian
>
> ________________________________________
> From: Daniel J Walsh [dwalsh@redhat.com]
> Sent: Saturday, May 16, 2009 4:49 AM
> To: Brian Ginn
> Cc: 'fedora-selinux-list@redhat.com'
> Subject: Re: network failures maybe SELinux related?
>
> On 05/15/2009 05:48 PM, Brian Ginn wrote:
>> corenet_tcp_bind_all_ports() seems to have solved my problems.
>>
> On what domain? This will allow that domain to bind to any port, if you
> know what port you want to listen on, you might be able to add the port
> using
>
> semanage port -a -t MISTERYDOMAIN_port_t -p tcp PORTNUMBER
>> -Brian
>>
>>
>> From: Brian Ginn
>> Sent: Friday, May 15, 2009 1:44 PM
>> To: 'fedora-selinux-list@redhat.com'
>> Subject: network failures maybe SELinux related?
>>
>> I have a client app run by users, and two server apps run from xinetd.
>> The client connects to server1
>> Server1 connects to server2
>> Server2 connects back to the client app
>>
>> When not confined by SELinux policy. Everything works fine.
>> I can run several hundred iterations without any failures.
>> When confined, but run in permissive mode, Everything works fine. - nothing in audit.log
>>
>> When confined and enforced, it works a few times, then the connection from server1 to server2 fails.
>> Then, after a rest, it works a few times, then the connection from server1 to server2 fails.
>> There is nothing in audit.log.
>> Does anyone have suggestions for constraints or don't audit rules I should look into?
>>
>>
>> Thanks,
>> Brian
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

corenet_tcp_bind_generic_port(DOMAIN)

Will allow you to bind to the first port_t port, IE a port that is not have an SELInux port defined for it. It will dontaudit attempts to bind to ports with SELInux ports defined. -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list