-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #8989 - Add docker_port_t port and boolean #42
Conversation
94af1d7
to
456fbdc
Compare
Added UNIX local sockets for RHEL7+ as well. |
@domcleal mind review & merge? |
@@ -22,6 +22,9 @@ do | |||
/usr/sbin/semanage port -E | grep -q elasticsearch_port_t || \ | |||
echo "port -a -t elasticsearch_port_t -p tcp 9200-9300" >> $TMP | |||
|
|||
/usr/sbin/semanage port -E | grep -q docker_port_t || \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also update foreman-selinux-disable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated, good catch.
456fbdc
to
9618b2c
Compare
Hmmm this will conflict out once #44 is merged due to the elasticport... |
@@ -64,6 +64,20 @@ gen_tunable(passenger_can_connect_all, false) | |||
|
|||
## <desc> | |||
## <p> | |||
## Determine whether passenger can connect to OpenStack via TCP |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Docker, and below
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copy&paste error, fixed.
Boolean passenger_can_connect_docker allows connections to newly created docker_port_t which is not yet defined in RHEL7/Fedora. This can be used when users starts Docker on TCP (defaults to UNIX sockets). IANA assigned 2375 and 2376 ports for http/https communication on 2015-01-09. Denial: type=AVC msg=audit(1421352630.245:15331): avc: denied { name_connect } for pid=4803 comm="ruby" dest=2375 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
9618b2c
to
cfde7b4
Compare
On IRC you're suggesting there's a problem with docker_port_t, could you please explain what it is? |
Sure, I've used our internal list simply because Dan and Mirek are subscribed there. Here it is: Foreman is supported both on RHEL6 and RHEL7. We ship our own policy For version 1.8 there are three services that Foreman application
In RHEL7 this is not a problem as all the ports are already defined, For RHEL6 there is a problem because non of these SELinux ports are
When I was working on moving some rules from foreman-selinux into I can think of the following situation:
I've been discussing this with Mirek from SELinux team already and it For the record, I've asked on the SELinux Fedora list as well: https://lists.fedoraproject.org/pipermail/selinux/2015-February/016591.html |
Is this simply because of a possible name conflict? IIRC if the port numbers are also defined that the policies will conflict (e.g. you can't add a new port type that redefines something that's already called something else). So even if we created a custom port type we could still conflict just on the numbers unless we always removed it immediately before the distro is updated (as if that's possible!). |
It's actually both: port type declaration and port number assignement. You cannot redefine single one. My idea is to create our own type (ideally in some naming convention like |
Do you mean selinux-policy itself? |
Yup, that's what we've talked about on DevConf, let's see on the mailing list. |
It appears that core policy does not use semanage to define ports, they hardcode it in the policy itself. I don't want to block this, so my proposal is to merge this as is (let's define our ports) and work with them on better solution long-term. |
Boolean passenger_can_connect_docker allows connections to newly created
docker_port_t which is not yet defined in RHEL7/Fedora. This can be used when
users starts Docker on TCP (defaults to UNIX sockets). IANA assigned 2375 and
2376 ports for http/https communication on 2015-01-09.
Denial:
type=AVC msg=audit(1421352630.245:15331): avc: denied { name_connect } for
pid=4803 comm="ruby" dest=2375 scontext=unconfined_u:system_r:passenger_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
@domcleal - in the patch I propose to have that boolean set to
true
bydefault to help non-SELinux aware users.