fedora-selinux February 2008 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: SELinux module to allow a single network por

Re: SELinux module to allow a single network port?

From: Stephen Smalley <sds_at_nospam>
Date: Fri Feb 15 2008 - 18:26:42 GMT
To: Chris Adams <cmadams@hiwaay.net>

On Fri, 2008-02-15 at 11:03 -0600, Chris Adams wrote:
> I originally posted this to the RHEL5 list, but someone pointed me to
> this list (I didn't realize there was an SELinux list).
>
> I have done some minor SELinux customizations with a module, and now I'm
> trying to do something a little more complicated.
>
> I want to allow a CGI to do a "whois" lookup. It is a perl script that
> is attempting to open a TCP socket to port 43. I ran audit2allow, but I
> think the generated rule allows CGIs to open outbound sockets to any
> port. I'd rather just allow TCP to port 43.
>
> I don't see a defined whois port type, and I don't know quite how to
> define it myself in a module.
>
> Help?

Possibly something like this:

$ vi whois.te
policy_module(whois, 1.0)
type whois_port_t, port_type;
:wq
$ make -f /usr/share/selinux/devel/Makefile whois.pp $ su
# semodule -i whois.pp
# semanage port -a -t whois_port_t -p tcp 43 -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list