Re: Question regarding port usage in respect to the tomcat policy

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel J Walsh <dwalsh@redhat.com>
To: Nick Gray <nick-lists@austin.rr.com>
Cc: SELinux ML <selinux@tycho.nsa.gov>
Subject: Re: Question regarding port usage in respect to the tomcat policy
Date: Sat, 18 Dec 2004 04:59:06 -0500	[thread overview]
Message-ID: <41C3FF6A.8000405@redhat.com> (raw)
In-Reply-To: <1103324915.32688.97.camel@hawaii.grays-systems.com>

Nick Gray wrote:

>In net_contexts I found this
>
>ifdef(`use_http_cache', `
>portcon tcp 3128  system_u:object_r:http_cache_port_t
>portcon tcp 8080  system_u:object_r:http_cache_port_t
>portcon udp 3130  system_u:object_r:http_cache_port_t
>')
>
>I needed 8080 for my tomcat tests so I stole it
>by taking it out and creating my own
>
>
>ifdef(`tomcat.te', `
>portcon tcp 8080  system_u:object_r:tomcat_port_t
>')
>
>And I added this to the tomcat.te
>
>allow tomcat_t tomcat_port_t:tcp_socket name_bind;
>
>The question is why can I access port 8443 as well?
>
>**
>
>I think I figured it out. While doing the start/fix/restart, I found
>that I needed this line as well (probably when I tried to access 8443)
>
>allow tomcat_t port_t:tcp_socket name_bind;
>  
>
No this says that you can bind to any port.
A better solution would be

ifdef(`tomcat.te', `
portcon tcp 8080  system_u:object_r:tomcat_port_t
portcon tcp 8083  system_u:object_r:tomcat_port_t
')


>So I am guessing that anything not labeled specifically must belong to
>this type.
>
>Nix
>
>
>  
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

     prev parent reply	other threads:[~2004-12-18  9:59 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-12-17 23:08 Question regarding port usage in respect to the tomcat policy Nick Gray
2004-12-18  9:59 ` Daniel J Walsh [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=41C3FF6A.8000405@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=nick-lists@austin.rr.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.