network failures maybe SELinux related?

Daniel J Walsh dwalsh at redhat.com
Mon May 18 17:50:43 UTC 2009 

On 05/18/2009 01:49 PM, Daniel J Walsh wrote:
> On 05/18/2009 12:37 PM, Brian Ginn wrote:
>> Thanks!
>>
>> For the listining ports, I've done that.
>> For the connecting ports, I pick a random port between 1025..65535,
>> call connect() then if the port
>> is in use, increment the port number and try again.
>>
>> Up until selinex, "permission denied" has not been a connect() error
>> that I've had to deal with.
>> I could change it so that "permission denied" also results in
>> incrementing the port number and
>> retrying connect().
>> ... however looking at the results of 'semanage port -l', most of
>> those ports aren't used by the
>> selinux domains they are registered for.
>>
>> When "hardening" a system, we make sure that various un-needed network
>> services are not installed.
>> Should we also remove selinux policy (and port registration) for those
>> services?
>>
>>
>> Thanks,
>> Brian
>>
>> ________________________________________
>> From: Daniel J Walsh [dwalsh at redhat.com]
>> Sent: Saturday, May 16, 2009 4:49 AM
>> To: Brian Ginn
>> Cc: 'fedora-selinux-list at redhat.com'
>> Subject: Re: network failures maybe SELinux related?
>>
>> On 05/15/2009 05:48 PM, Brian Ginn wrote:
>>> corenet_tcp_bind_all_ports() seems to have solved my problems.
>>>
>> On what domain? This will allow that domain to bind to any port, if you
>> know what port you want to listen on, you might be able to add the port
>> using
>>
>> semanage port -a -t MISTERYDOMAIN_port_t -p tcp PORTNUMBER
>>> -Brian
>>>
>>>
>>> From: Brian Ginn
>>> Sent: Friday, May 15, 2009 1:44 PM
>>> To: 'fedora-selinux-list at redhat.com'
>>> Subject: network failures maybe SELinux related?
>>>
>>> I have a client app run by users, and two server apps run from xinetd.
>>> The client connects to server1
>>> Server1 connects to server2
>>> Server2 connects back to the client app
>>>
>>> When not confined by SELinux policy. Everything works fine.
>>> I can run several hundred iterations without any failures.
>>> When confined, but run in permissive mode, Everything works fine. -
>>> nothing in audit.log
>>>
>>> When confined and enforced, it works a few times, then the connection
>>> from server1 to server2 fails.
>>> Then, after a rest, it works a few times, then the connection from
>>> server1 to server2 fails.
>>> There is nothing in audit.log.
>>> Does anyone have suggestions for constraints or don't audit rules I
>>> should look into?
>>>
>>>
>>> Thanks,
>>> Brian
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
> corenet_tcp_bind_generic_port(DOMAIN)
>
> Will allow you to bind to the first port_t port, IE a port that is not
> have an SELInux port defined for it. It will dontaudit attempts to bind
> to ports with SELInux ports defined.
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
corenet_tcp_connect_generic_port(DOMAIN) for connections

More information about the selinux mailing list