Re: Loopback TCP connection
On Fri, Apr 27, 2018 at 04:42:56PM +0200, Troels Arvin wrote: > Hello, > > On Fri, Apr 27, 2018 at 4:31 PM, Stephen Smalleywrote: > > > See: > > https://github.com/SELinuxProject/selinux-kernel/issues/21 > > https://bugzilla.redhat.com/show_bug.cgi?id=1168044 > > > > OK. So currently, it's not possible to write a policy item which allows > connections to sockets on the loopback interface only. > > In that case, I'll work on a patch proposal for a boolean to activate this: > allow tomcat_t smtp_port_t:tcp_socket name_connect; I think it should be possible to control egress/ingress on labeled interfaces > > -- > Regards, > Troels Arvin -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02 Dominick Grift signature.asc Description: PGP signature
Re: Loopback TCP connection
Hello, On Fri, Apr 27, 2018 at 4:31 PM, Stephen Smalleywrote: > See: > https://github.com/SELinuxProject/selinux-kernel/issues/21 > https://bugzilla.redhat.com/show_bug.cgi?id=1168044 > OK. So currently, it's not possible to write a policy item which allows connections to sockets on the loopback interface only. In that case, I'll work on a patch proposal for a boolean to activate this: allow tomcat_t smtp_port_t:tcp_socket name_connect; -- Regards, Troels Arvin
Re: Loopback TCP connection
On 04/27/2018 10:23 AM, Troels Arvin wrote: > Hello, > > RHEL/CentOS 7.4 was rather disastrous for Tomcat users, because lots of > things which used to work suddenly broke, due to a new SELinux policy for > Tomcat. RHEL 7.5 has fixed most of it, because a number of commits allowed > Tomcat to connect to database systems and other things: > > https://github.com/fedora-selinux/selinux-policy-contrib/commit/cf1ac899006bed35c10c08a76adbbf8ce6e68443 > https://github.com/fedora-selinux/selinux-policy-contrib/commit/e67f46aec82a897218c879e5c92e6921407b9074 > ... > > But I still have a Tomcat app which has run into SELinux-denials. The app > needs to send mails, so it tries to connect to port 25. I see a number of > ways this could be handled, but I would prefer the following combination: > > - adjust the policy, so that by default, Tomcat can allow to > port 25/tcp on the loopback interface > > - and add a boolean which allows Tomcat to connect to any port 25/tcp, > maybe something along the lines of > corenet_tcp_loopback_connect_smtp(tomcat_domain) > > Before I create a Bugzilla case about this for Fedora/Red Hat, I have some > questions: > - Is it possible to selectively allow an application to connect to something > on the loopback-interface? > - Is the above proposal a good one, or am I overlooking something? See: https://github.com/SELinuxProject/selinux-kernel/issues/21 https://bugzilla.redhat.com/show_bug.cgi?id=1168044
Loopback TCP connection
Hello, RHEL/CentOS 7.4 was rather disastrous for Tomcat users, because lots of things which used to work suddenly broke, due to a new SELinux policy for Tomcat. RHEL 7.5 has fixed most of it, because a number of commits allowed Tomcat to connect to database systems and other things: https://github.com/fedora-selinux/selinux-policy-contrib/commit/cf1ac899006bed35c10c08a76adbbf8ce6e68443 https://github.com/fedora-selinux/selinux-policy-contrib/commit/e67f46aec82a897218c879e5c92e6921407b9074 ... But I still have a Tomcat app which has run into SELinux-denials. The app needs to send mails, so it tries to connect to port 25. I see a number of ways this could be handled, but I would prefer the following combination: - adjust the policy, so that by default, Tomcat can allow to port 25/tcp on the loopback interface - and add a boolean which allows Tomcat to connect to any port 25/tcp, maybe something along the lines of corenet_tcp_loopback_connect_smtp(tomcat_domain) Before I create a Bugzilla case about this for Fedora/Red Hat, I have some questions: - Is it possible to selectively allow an application to connect to something on the loopback-interface? - Is the above proposal a good one, or am I overlooking something? -- Regards, Troels Arvin