| 1 |
On Fri, Dec 02, 2016 at 12:05:50PM +0000, Robert Sharp wrote: |
| 2 |
> Mongo uses tcp on port 27017 and there is nothing defined for this in |
| 3 |
> the core policy. There is a mongodb policy in contrib but it uses |
| 4 |
> corenet_all_recvfrom_unlabeled, corenet_tcp_sendrecv_generic_if and the |
| 5 |
> likes. |
| 6 |
> |
| 7 |
> From what I can make out, semanage port will only allow me to assign a |
| 8 |
> port to an existing label? Looks like I can only define a port label in |
| 9 |
> the reference policy? What is the best way forward? If I was to add |
| 10 |
> something to corenetwork.te it would look like this, I guess: |
| 11 |
> |
| 12 |
> type mongodb_port_t, port_type, defined_port_type; |
| 13 |
> type mongodb_client_packet_t, packet_type, client_packet_type; |
| 14 |
> type mongodb_server_packet_t, packet_type, server_packet_type; |
| 15 |
> typeattribute mongodb_port_t unreserved_port_type; |
| 16 |
> portcon tcp 27017 gen_context(system_u:object_r:mongodb_port_t,s0) |
| 17 |
> |
| 18 |
> Would that then create a "corenet_tcp_connect_mongodb_port" interface? |
| 19 |
> |
| 20 |
> Incidentally, if I have a little family of apps that use use a number |
| 21 |
> of unreserved ports. Seems a little monolithic if the only way I can |
| 22 |
> integrate them is to have them included in the base policy? Luckily |
| 23 |
> they are not on the machine I am trying to get to strict atm, but they |
| 24 |
> are on the next one. |
| 25 |
|
| 26 |
I know you can't define a port mapping in the "legacy" (for lack of a better |
| 27 |
name, call it .pp or so if you want ;) approach, but can't we define a port |
| 28 |
type in a module, and then use the 'semanage port' command to map it to the |
| 29 |
right port? |
| 30 |
|
| 31 |
Another approach that works is to create your port definition with CIL. See |
| 32 |
the following two posts (the CIL code is in the first, loading in the second |
| 33 |
as the first post didn't know yet they were directly loadable): |
| 34 |
|
| 35 |
http://blog.siphos.be/2015/06/where-does-cil-play-in-the-selinux-system/ |
| 36 |
http://blog.siphos.be/2015/07/loading-cil-modules-directly/ |
| 37 |
|
| 38 |
Wkr, |
| 39 |
Sven Vermeulen |
Archives