On Thu, Dec 01, 2016 at 10:24:21AM +0000, Robert Sharp wrote:
> Hi,
> I've looked at the Gentoo SELinux web pages etc, the SELinux Handbook 
> and through the Reference Policy and I cannot find the answer to a 
> simple question.
> I am writing a small policy for my backup system and I want to be able 
> to a) access a MongoDB running on remote servers, and b) use rsync. I 
> can see two AVCs relating to my port use and I know how I can fix the 
> problem from the command line, but surely I should be able to address 
> this in the policy? I think there is an rsync interface I need to call 
> (rsync_entry_type(mytype_t)) and I assume this will run rsync in the 
> right domain?
> Mongo has a policy but the only interface is admin. All I need to do 
> locally is connect to the port. Can I use "portcon" in a policy to do 
> this or do I need to do something else?
> Thanks,
> Robert Sharp

What port number is it using? does that port already have a label? if it
does then you use the corenet stuff, eg:

corenet_tcp_connect_mysqld_port(foo_t) would allow foo_t to connect to
these ports:

#  semanage port -l | grep mysql
mysqld_port_t                  tcp      1186, 3306, 63132-63164

if there is no good label on the port currently, you can define your own
with semanage port. or it can be added to the base policy, because of
the way pp files work, you cannot do portcon in a module. If there is a
port that is missing a label, we can add it to the base in both refpol
and gentoos policy. 

Look at policy/modules/kernel/corenetwork.te.in in the policy for
adding a new one.

As for rsync, if you want your script to be able to run it without
changing domain, you probably want rsync_exec(), if you want to transition
to rsync_t, then rsync_domtrans()

-- Jason

Reply via email to