On Wed, 2012-09-05 at 16:43 -0400, Nalin Dahyabhai wrote:
> On Wed, Aug 29, 2012 at 08:48:32AM -0400, Ade Lee wrote:
> > Incidentally, I ran this in permmissive selinux mode.  The following
> > rules are required to be added:
> > 
> > #============= certmonger_t ==============
> > corenet_tcp_connect_http_cache_port(certmonger_t)
> > files_read_var_lib_symlinks(certmonger_t)
> 
> On my system, "semanage port -l" shows me:
>  http_cache_port_t              tcp      8080, 8118, 10001-10010
> 
> Are these ports already labeled this way for Dogtag, or is it a
> coincidental overlap with some other package?  If it's an overlap,
> it might be better to switch to using ports which aren't already labeled
> for use in policy that applies to some other package.
> 
We have specifically chosen to use what would be the default ports for
tomcat.  These ports are already labeled as you have described above.
We have adjusted our selinux policy to handle that.  In fact, we are now
extending a tomcat selinux domain provided by the system policies, and
this tomcat domain allows access to those ports.
  
> If not, please open a bug against the selinux-policy component to get
> these accesses added to the set that's allowed by the default policy.
> 
I can open a bug.

> Nalin


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to