httpd and tcp_connect
Daniel J Walsh
dwalsh at redhat.com
Fri Jan 26 22:28:06 UTC 2007
Wart wrote:
> Daniel J Walsh wrote:
>> The best solution would be to make a loadable policy module, and
>> define a new port, something like
>>
>> Create a te file like the following
>>
>> #cat webapp.te
>> policy_module(webapp, 1.0);
>>
>> require {
>> type httpd_t;
>>
>> };
>>
>> type webapp_port_t;
>>
>> allow httpd_t webapp_port_t:tcp_socket name_connect;
>> # make -f /usr/share/selinux/targeted/include/Makefile webapp.pp
>> # semodule -i webapp.pp
>> # semanage port -a -t webapp_port_t -p tcp 19380-19383
>
> Thanks for the tip. This worked just fine. Now that I have a working
> policy for this server + web application, I'm trying to get it all
> packaged up nicely. I've got a policy that works, but to package it
> properly I'd have to split up rules between the webapp component and
> the server component, with dependencies between them. I'm sure with
> some more work I could do this, but it starts to become trickier to
> package. It seems like it would be much easier to manage if it were
> all part of the upstream selinux reference policy instead.
>
> What is the best way to go about submitting new policies to be
> included in the reference policy?
>
> --Mike
>
Submit it as a patch to the selinux at tycho.nsa.gov mailing list, and
request that it get upstreamed.
More information about the fedora-selinux-list
mailing list