[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Allowing httpd to connect to specific sockets

From: Ian Lists <ian-list securitypimp com>
To: fedora-selinux-list redhat com
Subject: Re: Allowing httpd to connect to specific sockets
Date: Fri, 28 Sep 2007 14:48:15 +0000 (UTC)

This howto is exactly what I have been looking for.  I am trying to allow apache to connect to a listening stunnel process at localhost:9002. I think I have created mystunnel.te correctly, but I keep getting errors when I try to run the make against it.  

Here are the steps I have take so far.


# cat > mystunnel.te << _EOF
policy_module(mystunnel,1.0.0)

gen_require(\`
    type httpd_t;
')

type stunnel_port_t;
corenet_port(stunnel_port_t)

allow httpd_t stunnel_port_t:tcp_socket name_connect;
_EOF

# make -f/usr/share/selinux/devel/Makefile
Compiling targeted mystunnel module
/usr/bin/checkmodule:  loading policy configuration from tmp/mystunnel.tmp
mystunnel.te:8:ERROR 'syntax error' at token 'corenet_port' on line 77035:
type stunnel_port_t;
corenet_port(stunnel_port_t)
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/mystunnel.mod] Error 1



Thanks,

Ian


----- Original Message -----
From: "Daniel J Walsh" <dwalsh redhat com>
To: "Jason L Tibbitts III" <tibbs math uh edu>
Cc: fedora-selinux-list redhat com
Sent: Monday, September 24, 2007 5:55:39 PM (GMT-0500) America/New_York
Subject: Re: Allowing httpd to connect to specific sockets

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jason L Tibbitts III wrote:
> So I have this AVC:
> 
> avc:  denied  { name_connect } for  pid=9045 comm="httpd" dest=9680 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> 
> which comes from a PHP script trying to open a socket.  This is no big
> deal.  I believe that setting httpd_can_network_connect should fix it.
> However, I was wondering if it's possible to restrict the destination
> port to 9680, or restrict the destination host at all?
> 
>  - J<
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Hope you don't mind but I answered in my blog.


http://danwalsh.livejournal.com/12928.html



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG+DJbrlYvE4MpobMRAiH4AJ4u6HrNAnDB1Yp5gjWdMOlx6KwHwQCguAcA
h5GSxWz/Qp2XcGIdwJIDZrA=
=waZt
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Follow-Ups:
- Re: Allowing httpd to connect to specific sockets
  - From: Daniel J Walsh

References:
- Re: Allowing httpd to connect to specific sockets
  - From: Daniel J Walsh

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]