httpd and tcp_connect
Wart
wart at kobold.org
Fri Jan 26 06:03:47 UTC 2007
Daniel J Walsh wrote:
> The best solution would be to make a loadable policy module, and define
> a new port, something like
>
> Create a te file like the following
>
> #cat webapp.te
> policy_module(webapp, 1.0);
>
> require {
> type httpd_t;
>
> };
>
> type webapp_port_t;
>
> allow httpd_t webapp_port_t:tcp_socket name_connect;
> # make -f /usr/share/selinux/targeted/include/Makefile webapp.pp
> # semodule -i webapp.pp
> # semanage port -a -t webapp_port_t -p tcp 19380-19383
Thanks for the tip. This worked just fine. Now that I have a working
policy for this server + web application, I'm trying to get it all
packaged up nicely. I've got a policy that works, but to package it
properly I'd have to split up rules between the webapp component and the
server component, with dependencies between them. I'm sure with some
more work I could do this, but it starts to become trickier to package.
It seems like it would be much easier to manage if it were all part of
the upstream selinux reference policy instead.
What is the best way to go about submitting new policies to be included
in the reference policy?
--Mike
More information about the fedora-selinux-list
mailing list