Re: what are "normal" ports to bind/connect to?

Wed, 22 Apr 2009 05:28:55 -0700 

On 2009-04-22, Jeffrey 'jf' Lim <[email protected]> wrote:
>>
>> 80 obviously
>>
>> 21/23/25/81/8080....
>>
>
> hm... ftp's tricky. If you want to include 21, then you might want to
> consider 20 as well.

Ports in selinux are labled, so to allow web-ports one would allow ports of 
type "http_port_t" which by default includes 80, 443, 488, 8008, 8009, 8443 
on RHEL5. If we define a policy for haproxy that only allow it to bind/connect
to http_port_t's, and you want it to connect to other http-ports than these, 
you can add them to the list of http_port_ts by:

        semanage port -a -t http_port_t -p tcp $portnumber

So, for the list so far I read we need to allow web, telnet, ftp and smtp. 
Maybe with only web allowed by default, and the others enabled by booleans:

        # allow using http_port_t (80, 443, 488, 8008,..):
        haproxy_bindconnect_http = on
        # allow using ftp_port_t (21) and ftp_data_port_t (20)
        haproxy_bindconnect_ftp = off
        # allow using smtp_port_t (25, 465, 587)
        haproxy_bindconnect_smtp = off
        # allow using pop_port_t (106, 109, 110, 143, 220, 993, 995, 1109)
        haproxy_bindconnect_pop = off
        # allow haproxy to bind and connect to any port
        haproxy_bindconnect_any = off


I think this boolean regime in selinux doesn't scale too well for
general services like haproxy.  I don't want to pollute it with
too many booleans..

>
>> A clear error on start up and description of how to resolve would be
>> useful I guess, but then I guess haproxy wouldn't know it was being
>> blocked by selinux policy?
>
> nope... Unless there were some kind of a "standard" way to inform an
> application (in which case, of course, the app would have to be
> programmed for that).

Yes, I think it's supposed to be up to the OS to notify the admin here 
via logs, popups or email.. I always have a 

        tail -f /var/log/audit/auditd.log|grep avc

running when I install new services.. Then I immediately see if
something is denied.


> -jf (too, ha)

I was considering if two "-jf"'s might be too much, and if I should
find another ha-proxying solution since you were here first :-)


  -jf

Reply via email to