From: Tanel Kokk <tanel.kokk@seb.ee>
To: SELinux@tycho.nsa.gov
Subject: Sendmail & SELinux policies, again
Date: Wed, 12 Apr 2006 11:03:42 +0300 [thread overview]
Message-ID: <443CB45E.5080400@seb.ee> (raw)
Hello
Everything works fine with sendmail & SELinux most of time. However,
sometimes SELinux in our server rejects such activities:
Apr 12 03:40:08 mx.internal audit(1144802408.867:9): avc: denied {
recv_msg } for saddr=201.37.237.52 src=5989 daddr=192.168.xxx.xxx
dest=8025 netif=eth0 scontext=user_u:system_r:sendmail_t
tcontext=system_u:object_r:pegasus_https_port_t tclass=tcp_socket
Apr 12 03:40:11 mx.internal audit(1144802411.714:10): avc: denied {
recv_msg } for saddr=201.37.237.52 src=5989 daddr=192.168.xxx.xxx
dest=8025 netif=eth0 scontext=user_u:system_r:sendmail_t
tcontext=system_u:object_r:pegasus_https_port_t tclass=tcp_socket
Apr 12 03:40:17 mx.internal audit(1144802417.727:11): avc: denied {
recv_msg } for saddr=201.37.237.52 src=5989 daddr=192.168.xxx.xxx
dest=8025 netif=eth0 scontext=user_u:system_r:sendmail_t
tcontext=system_u:object_r:pegasus_https_port_t tclass=tcp_socket
, where mx.internal [192.168.xxx.xxx] is our email gateway and dest=8025
is port, where sendmail actually listening from (iptables forwards port
25 to 8025 in transparent way).
With audit2allow I get:
allow sendmail_t pegasus_https_port_t:tcp_socket recv_msg;
I found that there are some specific ports, which are defined as:
portcon tcp 5989 system_u:object_r:pegasus_https_port_t
portcon tcp 3306 system_u:object_r:mysqld_port_t
portcon tcp 5432 system_u:object_r:postgresql_port_t
portcon tcp 5988 system_u:object_r:pegasus_http_port_t
portcon tcp 3128 system_u:object_r:http_cache_port_t
portcon tcp 8080 system_u:object_r:http_cache_port_t
portcon tcp 1-1023 system_u:object_r:reserved_port_t
So as I understand, when source connection come from so called
"specific" port (for example 5989) and goes to port 25, then this
connection will be rejected by default. What is that good for?
IMHO it is quite possible, that source port would be something like
3128, 5988 or 3306.
I just thought to add such policies for sendmail_t:
allow sendmail_t pegasus_https_port_t:tcp_socket recv_msg;
allow sendmail_t mysqld_port_t:tcp_socket recv_msg;
allow sendmail_t postgresql_port_t:tcp_socket recv_msg;
allow sendmail_t pegasus_http_port_t:tcp_socket recv_msg;
allow sendmail_t http_cache_port_t:tcp_socket recv_msg;
Is it good solusion?
--
Tanel Kokk
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2006-04-12 8:03 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-12 8:03 Tanel Kokk [this message]
2006-04-12 12:43 ` Sendmail & SELinux policies, again Stephen Smalley
2006-04-12 12:52 ` Tanel Kokk
2006-04-12 13:16 ` Christopher J. PeBenito
2006-04-12 13:23 ` Stephen Smalley
2006-04-12 13:45 ` Tanel Kokk
2006-04-12 14:10 ` Stephen Smalley
2006-04-12 14:09 ` Tanel Kokk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=443CB45E.5080400@seb.ee \
--to=tanel.kokk@seb.ee \
--cc=SELinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.