tor_t: actually allowed tcp ports

Lukas Vrabec lvrabec at redhat.com
Thu Apr 9 14:26:13 UTC 2015 

On 04/07/2015 09:03 AM, Miroslav Grepl wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 04/06/2015 08:33 PM, Nusenu wrote:
>> Hi,
>>
>> what are the actually allowed TCP ports processes in the tor_t
>> domain are allowed to bind to? (with tor_bind_all_unreserved_ports
>> --> off tor_can_network_relay --> on)
>>
>>
>> semanage gives me: tor_port_t         tcp      6969, 9001, 9030,
>> 9050, 9051, 9150
>>
>> but tor can bind to 80,443 or 9000 without problems. (but for
>> example 5000 is not allowed -> AVCs)
If you need some custom port for tor binding and you won't use 
'tor_bind_all_unreserved_ports' boolean, you could use semanage tool to 
label your custom port as tor_port_t.
Example: |semanage port -a -t tor_port_t -p tcp 5000
|
>>
>> Used policy version: selinux-policy-targeted-3.13.1-23.el7.noarch
>>
>>
>> Is there already a boolean that allows enabling to arbitrary ports
>>   as suggested here:
>> https://bugzilla.redhat.com/show_bug.cgi?id=544546#c5
> You can use sesearch to check it
>
> $ sesearch -A -s tor_t -p tcp_socket -p name_bind -C
>
>
> Or you can use sepolicy which gets you what you want to see
>
> $ sepolicy network -d tor_t
>
>> thanks, Nusenu -- selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
> - -- 
> Miroslav Grepl
> Software Engineering, SELinux Solutions
> Red Hat, Inc.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJVI4ErAAoJENrcHks50T0J+8IH/3ca/bcT//RKsxjK8GFC7BMt
> WXR3c7KpxUk2Niy99GQo8fBR2FIJ0yfH2Y4TaiH9oVdew3odr7mEn4vBdya1C9A6
> v283qSr9/BlPHvBk9msjjtRKryagi81XnU5C1EHF6eJQScyfnxE2pLuSBD3q2oZa
> asawW1I0iwkri6BwWq9D5i40ISf4gqoHV9zA9j408sdahS8h38sq0PVrwVMMxakz
> 7Arlj33aXOij08ZWiISjB+sch0UD1zoX3jfiLiOMbTqHNuRisUz0PUAFCjoF7i5y
> TOXTJE+kXVlnzqWPeYrWBl3Gak+QaoGx7HXGk7Kc1f++bfSl3plSyGH9xkxmimY=
> =uVaE
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-- 

Thank you.

--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150409/a2031f07/attachment.html>

More information about the selinux mailing list