httpd and tcp_connect

Daniel J Walsh dwalsh at redhat.com
Fri Jan 26 22:28:06 UTC 2007


Wart wrote:
> Daniel J Walsh wrote:
>> The best solution would be to make a loadable policy module, and 
>> define a new port,  something like
>>
>> Create a te file like the following
>>
>> #cat webapp.te
>> policy_module(webapp, 1.0);
>>
>> require {
>>        type httpd_t;
>>
>> };
>>
>> type webapp_port_t;
>>
>> allow httpd_t webapp_port_t:tcp_socket name_connect;
>> # make -f /usr/share/selinux/targeted/include/Makefile webapp.pp
>> # semodule -i webapp.pp
>> # semanage port -a -t webapp_port_t -p tcp 19380-19383
>
> Thanks for the tip.  This worked just fine.  Now that I have a working 
> policy for this server + web application, I'm trying to get it all 
> packaged up nicely.  I've got a policy that works, but to package it 
> properly I'd have to split up rules between the webapp component and 
> the server component, with dependencies between them.  I'm sure with 
> some more work I could do this, but it starts to become trickier to 
> package.  It seems like it would be much easier to manage if it were 
> all part of the upstream selinux reference policy instead.
>
> What is the best way to go about submitting new policies to be 
> included in the reference policy?
>
> --Mike
>
Submit it as a patch to the selinux at tycho.nsa.gov mailing list, and 
request that it get upstreamed.




More information about the fedora-selinux-list mailing list