Re: [CentOS] CentOS 7, selinux and pop_port_t

2021-02-12 Thread Leon Fauster via CentOS 

Am 12.02.21 um 04:27 schrieb H:

I am muddling my way through learning selinux when installing a webapp with 
httpd as the webserver running CentOS 7. The app allows the user to 
send/receive mail etc but it seems that I have yet to allow access to imap port 
993. So far it seems this is configured through pop_port_t but setsebool 
httpd_can_network_connect 1 does not include pop_port_t.

In the audit log I have:

type=AVC msg=audit(1613093671.415:155086): avc:  denied  { name_connect } for  pid=22431 
comm="httpd" dest=993 scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket permissive=0

Yet, running the below

sesearch -A -s httpd_t -c tcp_socket -p name_connect -d -C

tells me

ET allow httpd_t pop_port_t : tcp_socket name_connect ; [ httpd_can_sendmail ]

I am obviously missing something. Does anyone know how to enable access to 
pop_port_t?




setsebool -P httpd_can_sendmail on

-P > persistent across reboots

--
Leon
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] CentOS 7, selinux and pop_port_t

2021-02-11 Thread H 
I am muddling my way through learning selinux when installing a webapp with 
httpd as the webserver running CentOS 7. The app allows the user to 
send/receive mail etc but it seems that I have yet to allow access to imap port 
993. So far it seems this is configured through pop_port_t but setsebool 
httpd_can_network_connect 1 does not include pop_port_t.

In the audit log I have:

type=AVC msg=audit(1613093671.415:155086): avc:  denied  { name_connect } for  
pid=22431 comm="httpd" dest=993 scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket permissive=0

Yet, running the below

sesearch -A -s httpd_t -c tcp_socket -p name_connect -d -C

tells me

ET allow httpd_t pop_port_t : tcp_socket name_connect ; [ httpd_can_sendmail ]

I am obviously missing something. Does anyone know how to enable access to 
pop_port_t?

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos