tor_t: actually allowed tcp ports

Lukas Vrabec lvrabec at redhat.com
Sat Apr 11 11:01:58 UTC 2015 

On 04/10/2015 04:13 PM, Nusenu wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>>>>> what are the actually allowed TCP ports processes in the
>>>>> tor_t domain are allowed to bind to? (with
>>>>> tor_bind_all_unreserved_ports --> off tor_can_network_relay
>>>>> --> on)
>>>>>
>>>>>
>>>>> semanage gives me: tor_port_t         tcp      6969, 9001,
>>>>> 9030, 9050, 9051, 9150
>>>>>
>>>>> but tor can bind to 80,443 or 9000 without problems. (but
>>>>> for example 5000 is not allowed -> AVCs)
>>> If you need some custom port for tor binding and you won't use
>>> 'tor_bind_all_unreserved_ports' boolean, you could use semanage
>>> tool to label your custom port as tor_port_t. Example: |semanage
>>> port -a -t tor_port_t -p tcp 5000
> That sounds great to allow it to run without allowing more than
> needed, unfortunately it does not work for every port:
>
> ValueError: Port tcp/5000 already defined
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJVJ9pxAAoJEFv7XvVCELh0WtYP/R+BykAepbrd4gvTbQJKawWK
> eFyeAoSpTc7ZuziFWUrfApkvY9gwgJpVCU000emYhh6x5cKpw9PIUa03gqPGo5zL
> uk2QbhbvV1S4RdYR2k1BEDK5FdkA5ajptuTI4xsrRj9KPGrVKPA/4owioS2xXSn1
> bLw7aTMp8QdxOmdvaGLb9hTyOqecQ5FOeJ/jd1ODrR1j9kNFMBD+sqXpOUxFCclv
> dzW4GKS6hbPZ1LQ3kcOK4wJyBa2zZiVDLFb20cYWbsRmFz5vcZjMFrXOo0KEnGqW
> 4iAUbMZEe8ZN9qiS0AIaGaz4l7J/FrbBpuJZ7noeMMR76brMfCr8rPwwcFnLF6G8
> 4JH1P+Z+ATbsrfrVek2IE61duW7egbFqXgf62St8eDrFR4anqetw53LYkIoSkFvW
> tOQrEQCnGy7neX7fcpToULJ0Fqhki8J/NtfDqD0nVodLOOeJxTGm0Q+v2jtD3hg4
> p/M8Kk5P1woMvPn7UDaYTRB68g6M2JUt3x7kbjE5K/7KeIcvML4Ls/wpiLCtzJ4D
> CkPa6HaaDPzRHXqM7ZTV+zvhjSc3PueO4BX8CsL/FF7OTmOJyPm6oqK0kxpJtcG8
> tRZIMmQyq1BE77TFFzd4KX0PuDz+L167jwcXknVghpadwRubu77SMZ66+AYfn379
> fTXLcDY0nY3L/SLiQt5I
> =JNR0
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Hi,
If you need to bind on defined port, there is a way to make "local" 
policy with rule allowing this.
To build local policy follow this:
     1. Generate AVC (in your case tor is binding to port 5000)
     2. Store this AVC in some file. (like tor_local.txt)
     3. use: $ cat ./tor_local.txt | audit2allow -M tor_local
     4. use: # semodule -i tor_local.pp

Now tor_t domain can bind to port 5000.

Last thing, be careful with this. Make local policies when you know what 
you are allowing due to security reasons.

-- 

Thank you.

--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.

More information about the selinux mailing list