httpd and tcp_connect

[Daniel J Walsh]

Wart wrote:
> I'm receiving the following avc denial from a game package that's 
> under review[1]:
>
> Jan 21 10:55:49 localhost kernel: audit(1169405749.338:3): avc:  
> denied  { name_connect } for  pid=2661 comm="httpd" dest=19382 
> scontext=user_u:system_r:httpd_t:s0 
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
>
> The package includes a php-based web application and a python daemon 
> backend.  The php webapp communicates with the python daemon through 
> tcp sockets.
>
> From the avc denial it appears that this communication fails because 
> httpd is not allowed to establish tcp connections.  This seems like a 
> valid security restriction, except in this case I do want to allow it.
>
> How can I configure the httpd policy to allow tcp connections, but 
> only to localhost and only on the python daemon's ports (19380-19383)?
>
> --Wart
Ok this can be fixed in multiple different ways.

One would be to allow httpd to connect to any port
setsebool -P httpd_can_network_connect=1
This would lessen your security, since httpd would now be able to 
connect to any port

Another would be to add the ports to http_port_t via semanage
semanage port -a -t http_port_t -p tcp 19380-19383
This would be better in that http is allowed to connect to http_port_t 
by default, but now it can also bind to these additional ports.

The best solution would be to make a loadable policy module, and define 
a new port,  something like

Create a te file like the following

#cat webapp.te
policy_module(webapp, 1.0);

require {
        type httpd_t;

};

type webapp_port_t;

allow httpd_t webapp_port_t:tcp_socket name_connect;
# make -f /usr/share/selinux/targeted/include/Makefile webapp.pp
# semodule -i webapp.pp
# semanage port -a -t webapp_port_t -p tcp 19380-19383
> [1] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219972
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list