On 3/20/19 7:10 AM, SZIGETVÁRI János wrote:
Dear Oleg,
Thank you, that seems to have done the trick. The necessary modifications for the policy were the following:
allow ABCD_t self:unix_dgram_socket { create connect getattr setopt read write}; allow ABCD_t self:tcp_socket { accept bind create getattr listen setopt read write };
Thanks again!
Obvious question is why are these being dontaudit'd by Fedora policy.
Best Regards, János Szigetvári -- Janos SZIGETVARI RHCE, License no. 150-053-692 https://www.redhat.com/rhtapps/verify/?certId=150-053-692
LinkedIn: linkedin.com/in/janosszigetvari http://linkedin.com/in/janosszigetvari E-mail: janos@szigetvari.com mailto:janos@szigetvari.com, jszigetvari@gmail.com mailto:jszigetvari@gmail.com Phone: +36209440412 (Hungary)
__@__˚V˚ Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
Oleg Cherkasov <o1e9.cherkasov@yandex.com mailto:o1e9.cherkasov@yandex.com> ezt írta (időpont: 2019. márc. 19., K, 21:37):
On 19.03.2019 21:23, SZIGETVÁRI János wrote: > Dear Members, > > Sorry for bothering you with my questions but I am kind of stuck with my > problem, that's why I turn to you now. > > I am in the process of creating a SELinux policy for a software module, > of a larger application. > The module is simply a server, that listens on a port, and forwards the > received information through a Unix domain socket to the main application. > I got most parts of the policy right by now, in the sense that the > module can start, and I don't see any AVC denied entries in the SELinux > audit log. > > The relevant parts of my policy are the following (I have substituted > the module's name with ABCD): > > type ABCD_t; > type ABCD_port_t; > > corenet_port(ABCD_port_t); > > corenet_tcp_bind_generic_node(ABCD_t); > corenet_tcp_sendrecv_generic_node(ABCD_t); > corenet_tcp_sendrecv_generic_if(ABCD_t); > allow ABCD_t ABCD_port_t:tcp_socket { name_bind }; > > allow ABCD_t self:unix_dgram_socket { create connect getattr setopt }; > allow ABCD_t self:tcp_socket { accept bind create getattr listen setopt }; > > > In the policy builder script also use > > semanage port -a -t ABCD_port_t -p tcp 1234 2>/dev/null || semanage port > -m -t ABCD_port_t -p tcp 1234 2>/dev/null > > > What I see with my current policy (with SELinux in Enforcing mode), is > that the module starts up seemingly okay, it binds to the appropriate > port, but see errors like this: > > 2019-03-19T16:08:14.314+0100 ERROR HTTP server error when > serving connection "172.16.0.90:5986 <http://172.16.0.90:5986> > <http://172.16.0.90:5986>"<->"172.16.0.92:53952 <http://172.16.0.92:53952> > <http://172.16.0.92:53952>": error when reading request headers: read > tcp4 172.16.0.90:5986->172.16.0.92:53952 <http://172.16.0.92:53952> <http://172.16.0.92:53952>: > read: permission denied > 2019-03-19T16:08:14.315+0100 ERROR HTTP server error when > serving connection "172.16.0.90:5986 <http://172.16.0.90:5986> > <http://172.16.0.90:5986>"<->"172.16.0.92:53953 <http://172.16.0.92:53953> > <http://172.16.0.92:53953>": error when reading request headers: read > tcp4 172.16.0.90:5986->172.16.0.92:53953 <http://172.16.0.92:53953> <http://172.16.0.92:53953>: > read: permission denied > > > In addition to this, I see nothing in the SELinux audit log, and when I > put SELinux in permissive mode, things start working again. > I am puzzled at this point why I'm not seeing anything in audit.log. If > it is in deed SELinux that's blocking the read attempts, then there > should be some information about that. Right? > You may try to disable DONTAUDIT rules temporarily and see if you receive any clues in the audit log: semodule -DB Then you are done turn it off: semodule -B _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org> To unsubscribe send an email to selinux-leave@lists.fedoraproject.org <mailto:selinux-leave@lists.fedoraproject.org> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...