tor_t: actually allowed tcp ports
nusenu
nusenu at openmailbox.org
Mon Apr 13 20:21:52 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
> If you need to bind on defined port, there is a way to make "local"
> policy with rule allowing this. To build local policy follow this:
> 1. Generate AVC (in your case tor is binding to port 5000) 2. Store
> this AVC in some file. (like tor_local.txt) 3. use: $ cat
> ./tor_local.txt | audit2allow -M tor_local 4. use: # semodule -i
> tor_local.pp
I'm aware of this process but it is not applicable in an
ansible role [1] (my use case).
> Last thing, be careful with this. Make local policies when you
> know what you are allowing due to security reasons.
Yes, you definitely don't want to perform this blindly and automatically
.
I would have no problem running
semanage port -a ... $port
since the user's selected tor ports are obviously available - that would
have been a neat solution to create tailored SELinux adjustment without
the user even noticing and still working out of the box with arbitrary
ports. Probably to nice to actually work.
[1] https://github.com/nusenu/ansible-relayor
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJVLCVfAAoJEFv7XvVCELh0oY0P/0TcVMtpg/e6V8CluAybMhBv
x4YDMWCYzZ6gfYFOig/B1m1TemOuopfmAlwgb0O87LWwnVG3+LNrnC3Cm/+D5LhQ
TdUFsnRV101LbeyDbf4nVnc0Pw35m9zC9E9IA3MZCBrnou8AosXBqMigAPMQUGdA
cQzM1hMdWaVy7fEt80W6Wq8YtlhnNeFe7qpOUbELMOEkAmZG0UMh9lHHOwhfZlFE
W/2qBFTC5ImvMJKMZ8oVGs+RSKUkVny3dOebCvvKvmsxJzFxVraIHKMax7RecVbT
Td70u1Ulke9BqlzI9si2cPH33xbbqeV0pkqmXBKoeHNJugxtpEcGnWYAEEAH0Qiw
P9JxJyXGgonj/Au8eXizxXGv7+pfJG/us8bRmEAFUnpxYYJe12zczDcpwGwEn/71
puwQgDMfUODHRt9Mj/LJX5kC9dqPij4BHgVdGEvPBEgqZeBsLkWC460aGspXap0O
XXmAz2Aw1QILM5PXgybhmlmZeQW3jhKq1LsUl9vHXHgJ0I0Ry10LLcgDTtJ2FIGv
NKlR6j91PI9wtzf5DkUuL8Rgj15ITlZVBwmEpWK3Pde4PqoBz4OJbzjYbWshh3KV
LuZGTUaI+Y4ef3Y7cJ2a58GZ+1vHfep7f9WMH+XeYzVbN1MHYQHylzAfzk/YM6Wt
smkiTlosQ4+lTIdDFZWz
=rFg3
-----END PGP SIGNATURE-----
More information about the selinux
mailing list