Hi!
I wanted vsftpd to listen on 750 or 777 port. SELinux does not like this
type=AVC msg=audit(1141840161.184:107): avc: denied { name_bind } for pid=5352 comm="vsftpd" src=777 scontext=root:system_r:ftpd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket type=AVC msg=audit(1141840470.444:114): avc: denied { name_bind } for pid=5495 comm="vsftpd" src=750 scontext=root:system_r:ftpd_t tcontext=system_u:object_r:kerberos_port_t tclass=tcp_socket
I've downloaded selinux-policy-targeted-sources rpm and wanted to add this line:
portcon tcp 750 system_u:object_r:ftp_port_t
The problem is that I don't know where should it be placed. It does not work in domains/misc/local.te -- `make load' fails ;-)
OS: FC4 selinux-policy-targeted-sources: 1.27.1-2.22
Regards, Dawid
On Wed, 2006-03-08 at 19:03 +0100, Dawid Gajownik wrote:
Hi!
I wanted vsftpd to listen on 750 or 777 port. SELinux does not like this
type=AVC msg=audit(1141840161.184:107): avc: denied { name_bind } for pid=5352 comm="vsftpd" src=777 scontext=root:system_r:ftpd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket type=AVC msg=audit(1141840470.444:114): avc: denied { name_bind } for pid=5495 comm="vsftpd" src=750 scontext=root:system_r:ftpd_t tcontext=system_u:object_r:kerberos_port_t tclass=tcp_socket
I've downloaded selinux-policy-targeted-sources rpm and wanted to add this line:
portcon tcp 750 system_u:object_r:ftp_port_t
The problem is that I don't know where should it be placed. It does not work in domains/misc/local.te -- `make load' fails ;-)
OS: FC4 selinux-policy-targeted-sources: 1.27.1-2.22
Needs to go in net_contexts, and put before the catchall cases for reserved_port_t.
In FC5, you'll have much nicer options for such customization via semanage without needing policy sources at all.
Dnia 03/08/2006 07:11 PM, Użytkownik Stephen Smalley napisał:
Needs to go in net_contexts, and put before the catchall cases for reserved_port_t.
Thanks, it works but I wanted to avoid modifying this file. Does that mean that I will need to edit it after every selinux-policy-targetes-sources update? (I can use ftp port > 1023 so this entry wouldn't need to be placed before reserved_port_t)
In FC5, you'll have much nicer options for such customization via semanage without needing policy sources at all.
Yes, it's more user friendly :D I've just tested it on my rawhide box. semanage man page sucks a bit (no examples), so it took me few minutes to construct this command:
semanage port -a -t ftp_port_t -p tcp 7777
Actually, it was unnecessary on FC5 ;-) It seems that SELinux policy does not block vsftpd from binding to other ports (or my system is broken?). I'm using selinux-policy-targeted-2.2.23-6 it if makes any differance.
I had to modify http_port_t to allow Apache to work on 81 port, though...
On Wed, 2006-03-08 at 20:41 +0100, Dawid Gajownik wrote:
Dnia 03/08/2006 07:11 PM, Użytkownik Stephen Smalley napisał:
Needs to go in net_contexts, and put before the catchall cases for reserved_port_t.
Thanks, it works but I wanted to avoid modifying this file. Does that mean that I will need to edit it after every selinux-policy-targetes-sources update? (I can use ftp port > 1023 so this entry wouldn't need to be placed before reserved_port_t)
I think so. One of the motivations for semanage in FC5. refpolicy also makes an improvement in this area even in the source policy situation IIUC, by allowing you to scatter portcon and similar statements throughout the policy source files and have the build process extract them for final processing.
Yes, it's more user friendly :D I've just tested it on my rawhide box. semanage man page sucks a bit (no examples), so it took me few minutes to construct this command:
semanage port -a -t ftp_port_t -p tcp 7777
Actually, it was unnecessary on FC5 ;-) It seems that SELinux policy does not block vsftpd from binding to other ports (or my system is broken?). I'm using selinux-policy-targeted-2.2.23-6 it if makes any differance.
Policy (both FC4 and FC5) appear to allow ftpd to bind to generic ports (port_t) outside of the reserved range plus the ftp data port and the ftp service port. Did you mean 777 or 7777? One would be mapped to reserved_port_t, the other to port_t.
I had to modify http_port_t to allow Apache to work on 81 port, though...
Dnia 03/08/2006 08:56 PM, Użytkownik Stephen Smalley napisał:
semanage man page sucks a bit (no examples), so it took me few minutes to construct this command:
semanage port -a -t ftp_port_t -p tcp 7777
Heh, I've found today this link → http://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions#head-b8a7b039fa3... :-)
Policy (both FC4 and FC5) appear to allow ftpd to bind to generic ports (port_t) outside of the reserved range plus the ftp data port and the ftp service port.
I did not know that. I thought that policy blocks binding to any port except ftp_port_t. (Yes, I did not read domains/program/ftpd.te :P )
Hmmm... would you be willing to explain me why ftpd is allowed to bind to port_t? If it's done on purpose, why 1-1023 ports are so important that they cannot be used without policy modification?
Did you mean 777 or 7777?
I used port 777 on FC4 and 7777 one on FC5 - I did not know that it would make a difference.
Thanks for your help!
On Thu, 2006-03-09 at 23:44 +0100, Dawid Gajownik wrote:
I did not know that. I thought that policy blocks binding to any port except ftp_port_t. (Yes, I did not read domains/program/ftpd.te :P )
Hmmm... would you be willing to explain me why ftpd is allowed to bind to port_t? If it's done on purpose, why 1-1023 ports are so important that they cannot be used without policy modification?
It has been a while since I've looked at the specifics of that policy, but I suspect that ftpd wants to bind to arbitrary unreserved ports for data connections. Whereas you'd like to keep the reserved port space clean so that e.g. ftpd doesn't masquerade as some other well-known service. OTOH, if we are now keeping all well-defined port types defined in the base policy regardless of the set of policy modules included (which wasn't originally the case), then we might not need to concern ourselves with the reserved_port_t fallback. cc'd some other folks who may have an opinion.
Dnia 03/10/2006 03:34 PM, Użytkownik Stephen Smalley napisał:
It has been a while since I've looked at the specifics of that policy, but I suspect that ftpd wants to bind to arbitrary unreserved ports for data connections. Whereas you'd like to keep the reserved port space clean so that e.g. ftpd doesn't masquerade as some other well-known service.
Thanks for the explanation!
selinux@lists.fedoraproject.org