Re: Loopback TCP connection

2018-04-27 Thread Dominick Grift 
On Fri, Apr 27, 2018 at 04:42:56PM +0200, Troels Arvin wrote:
> Hello,
> 
> On Fri, Apr 27, 2018 at 4:31 PM, Stephen Smalley  wrote:
> 
> > See:
> > https://github.com/SELinuxProject/selinux-kernel/issues/21
> > https://bugzilla.redhat.com/show_bug.cgi?id=1168044
> >
> 
> OK. So currently, it's not possible to write a policy item which allows
> connections to sockets on the loopback interface only.
> 
> In that case, I'll work on a patch proposal for a boolean to activate this:
>   allow tomcat_t smtp_port_t:tcp_socket name_connect;

I think it should be possible to control egress/ingress on labeled interfaces

> 
> -- 
> Regards,
> Troels Arvin

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift


signature.asc
Description: PGP signature

Re: Loopback TCP connection

2018-04-27 Thread Troels Arvin 
Hello,

On Fri, Apr 27, 2018 at 4:31 PM, Stephen Smalley  wrote:

> See:
> https://github.com/SELinuxProject/selinux-kernel/issues/21
> https://bugzilla.redhat.com/show_bug.cgi?id=1168044
>

OK. So currently, it's not possible to write a policy item which allows
connections to sockets on the loopback interface only.

In that case, I'll work on a patch proposal for a boolean to activate this:
  allow tomcat_t smtp_port_t:tcp_socket name_connect;

-- 
Regards,
Troels Arvin

Re: Loopback TCP connection

2018-04-27 Thread Stephen Smalley 
On 04/27/2018 10:23 AM, Troels Arvin wrote:
> Hello,
> 
> RHEL/CentOS 7.4 was rather disastrous for Tomcat users, because lots of 
> things which used to work suddenly broke, due to a new SELinux policy for 
> Tomcat. RHEL 7.5 has fixed most of it, because a number of commits allowed 
> Tomcat to connect to database systems and other things:
> 
> https://github.com/fedora-selinux/selinux-policy-contrib/commit/cf1ac899006bed35c10c08a76adbbf8ce6e68443
> https://github.com/fedora-selinux/selinux-policy-contrib/commit/e67f46aec82a897218c879e5c92e6921407b9074
> ...
> 
> But I still have a Tomcat app which has run into SELinux-denials. The app 
> needs to send mails, so it tries to connect to port 25. I see a number of 
> ways this could be handled, but I would prefer the following combination:
> 
>  - adjust the policy, so that by default, Tomcat can allow to
>    port 25/tcp on the loopback interface
> 
>  - and add a boolean which allows Tomcat to connect to any port 25/tcp,
>    maybe something along the lines of
>    corenet_tcp_loopback_connect_smtp(tomcat_domain)
> 
> Before I create a Bugzilla case about this for Fedora/Red Hat, I have some 
> questions:
>  - Is it possible to selectively allow an application to connect to something 
> on the loopback-interface?
>  - Is the above proposal a good one, or am I overlooking something?

See:
https://github.com/SELinuxProject/selinux-kernel/issues/21
https://bugzilla.redhat.com/show_bug.cgi?id=1168044

Loopback TCP connection

2018-04-27 Thread Troels Arvin 
Hello,

RHEL/CentOS 7.4 was rather disastrous for Tomcat users, because lots of
things which used to work suddenly broke, due to a new SELinux policy for
Tomcat. RHEL 7.5 has fixed most of it, because a number of commits allowed
Tomcat to connect to database systems and other things:

https://github.com/fedora-selinux/selinux-policy-contrib/commit/cf1ac899006bed35c10c08a76adbbf8ce6e68443
https://github.com/fedora-selinux/selinux-policy-contrib/commit/e67f46aec82a897218c879e5c92e6921407b9074
...

But I still have a Tomcat app which has run into SELinux-denials. The app
needs to send mails, so it tries to connect to port 25. I see a number of
ways this could be handled, but I would prefer the following combination:

 - adjust the policy, so that by default, Tomcat can allow to
   port 25/tcp on the loopback interface

 - and add a boolean which allows Tomcat to connect to any port 25/tcp,
   maybe something along the lines of
   corenet_tcp_loopback_connect_smtp(tomcat_domain)

Before I create a Bugzilla case about this for Fedora/Red Hat, I have some
questions:
 - Is it possible to selectively allow an application to connect to
something on the loopback-interface?
 - Is the above proposal a good one, or am I overlooking something?

-- 
Regards,
Troels Arvin