SELinux module to allow a single network port?
Stephen Smalley
sds at tycho.nsa.gov
Fri Feb 15 18:33:47 UTC 2008
On Fri, 2008-02-15 at 13:26 -0500, Stephen Smalley wrote:
> On Fri, 2008-02-15 at 11:03 -0600, Chris Adams wrote:
> > I originally posted this to the RHEL5 list, but someone pointed me to
> > this list (I didn't realize there was an SELinux list).
> >
> > I have done some minor SELinux customizations with a module, and now I'm
> > trying to do something a little more complicated.
> >
> > I want to allow a CGI to do a "whois" lookup. It is a perl script that
> > is attempting to open a TCP socket to port 43. I ran audit2allow, but I
> > think the generated rule allows CGIs to open outbound sockets to any
> > port. I'd rather just allow TCP to port 43.
> >
> > I don't see a defined whois port type, and I don't know quite how to
> > define it myself in a module.
> >
> > Help?
>
> Possibly something like this:
>
> $ vi whois.te
> policy_module(whois, 1.0)
You'd also need a require statement here, ala:
require {
attribute port_type;
}
> type whois_port_t, port_type;
> :wq
> $ make -f /usr/share/selinux/devel/Makefile whois.pp
> $ su
> # semodule -i whois.pp
> # semanage port -a -t whois_port_t -p tcp 43
>
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list