[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: httpd and tcp_connect

Wart wrote:
I'm receiving the following avc denial from a game package that's under review[1]:

Jan 21 10:55:49 localhost kernel: audit(1169405749.338:3): avc: denied { name_connect } for pid=2661 comm="httpd" dest=19382 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

The package includes a php-based web application and a python daemon backend. The php webapp communicates with the python daemon through tcp sockets.

From the avc denial it appears that this communication fails because httpd is not allowed to establish tcp connections. This seems like a valid security restriction, except in this case I do want to allow it.

How can I configure the httpd policy to allow tcp connections, but only to localhost and only on the python daemon's ports (19380-19383)?

Ok this can be fixed in multiple different ways.

One would be to allow httpd to connect to any port
setsebool -P httpd_can_network_connect=1
This would lessen your security, since httpd would now be able to connect to any port

Another would be to add the ports to http_port_t via semanage
semanage port -a -t http_port_t -p tcp 19380-19383
This would be better in that http is allowed to connect to http_port_t by default, but now it can also bind to these additional ports.

The best solution would be to make a loadable policy module, and define a new port, something like

Create a te file like the following

#cat webapp.te
policy_module(webapp, 1.0);

require {
       type httpd_t;


type webapp_port_t;

allow httpd_t webapp_port_t:tcp_socket name_connect;
# make -f /usr/share/selinux/targeted/include/Makefile webapp.pp
# semodule -i webapp.pp
# semanage port -a -t webapp_port_t -p tcp 19380-19383
[1] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219972

fedora-selinux-list mailing list
fedora-selinux-list redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]