Allowing httpd to connect to specific sockets
Daniel J Walsh
dwalsh at redhat.com
Fri Sep 28 15:22:10 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ian Lists wrote:
> This howto is exactly what I have been looking for. I am trying to allow apache to connect to a listening stunnel process at localhost:9002. I think I have created mystunnel.te correctly, but I keep getting errors when I try to run the make against it.
>
> Here are the steps I have take so far.
>
>
> # cat > mystunnel.te << _EOF
> policy_module(mystunnel,1.0.0)
>
> gen_require(\`
> type httpd_t;
> ')
>
> type stunnel_port_t;
> corenet_port(stunnel_port_t)
>
> allow httpd_t stunnel_port_t:tcp_socket name_connect;
> _EOF
>
> # make -f/usr/share/selinux/devel/Makefile
> Compiling targeted mystunnel module
> /usr/bin/checkmodule: loading policy configuration from tmp/mystunnel.tmp
> mystunnel.te:8:ERROR 'syntax error' at token 'corenet_port' on line 77035:
> type stunnel_port_t;
> corenet_port(stunnel_port_t)
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/mystunnel.mod] Error 1
>
>
What version of the policy are you using?
You can just remove this corenet_port call for now, I believe
everything will still work.
grep -r corenet_port /usr/share/selinux/devel/include
>
> Thanks,
>
> Ian
>
>
> ----- Original Message -----
> From: "Daniel J Walsh" <dwalsh at redhat.com>
> To: "Jason L Tibbitts III" <tibbs at math.uh.edu>
> Cc: fedora-selinux-list at redhat.com
> Sent: Monday, September 24, 2007 5:55:39 PM (GMT-0500) America/New_York
> Subject: Re: Allowing httpd to connect to specific sockets
>
> Jason L Tibbitts III wrote:
>> So I have this AVC:
>
>> avc: denied { name_connect } for pid=9045 comm="httpd" dest=9680 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
>
>> which comes from a PHP script trying to open a socket. This is no big
>> deal. I believe that setting httpd_can_network_connect should fix it.
>> However, I was wondering if it's possible to restrict the destination
>> port to 9680, or restrict the destination host at all?
>
>> - J<
>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Hope you don't mind but I answered in my blog.
>
>
> http://danwalsh.livejournal.com/12928.html
>
>
>
- --
fedora-selinux-list mailing list
fedora-selinux-list at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
- --
fedora-selinux-list mailing list
fedora-selinux-list at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFG/RwirlYvE4MpobMRAoBsAKDVU2o4BEK2KxsMCUO1cdqic+8o8QCgyD6W
tSmG7IqjiFxsKcCudw0pXk4=
=VNRS
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list