[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: httpd and tcp_connect

Wart wrote:
Daniel J Walsh wrote:
The best solution would be to make a loadable policy module, and define a new port, something like

Create a te file like the following

#cat webapp.te
policy_module(webapp, 1.0);

require {
       type httpd_t;


type webapp_port_t;

allow httpd_t webapp_port_t:tcp_socket name_connect;
# make -f /usr/share/selinux/targeted/include/Makefile webapp.pp
# semodule -i webapp.pp
# semanage port -a -t webapp_port_t -p tcp 19380-19383

Thanks for the tip. This worked just fine. Now that I have a working policy for this server + web application, I'm trying to get it all packaged up nicely. I've got a policy that works, but to package it properly I'd have to split up rules between the webapp component and the server component, with dependencies between them. I'm sure with some more work I could do this, but it starts to become trickier to package. It seems like it would be much easier to manage if it were all part of the upstream selinux reference policy instead.

What is the best way to go about submitting new policies to be included in the reference policy?


Submit it as a patch to the selinux tycho nsa gov mailing list, and request that it get upstreamed.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]