Fixes #8989 - Add docker_port_t port and boolean #42
Conversation
lzap
force-pushed
the
docker-port-8989
branch
from
94af1d7
to
456fbdc
Compare
|
Added UNIX local sockets for RHEL7+ as well. |
|
@domcleal mind review & merge? |
| @@ -22,6 +22,9 @@ do | |||
| /usr/sbin/semanage port -E | grep -q elasticsearch_port_t || \ | |||
| echo "port -a -t elasticsearch_port_t -p tcp 9200-9300" >> $TMP | |||
|
|
|||
| /usr/sbin/semanage port -E | grep -q docker_port_t || \ | |||
There was a problem hiding this comment.
also update foreman-selinux-disable
lzap
force-pushed
the
docker-port-8989
branch
from
456fbdc
to
9618b2c
Compare
|
Hmmm this will conflict out once #44 is merged due to the elasticport... |
| @@ -64,6 +64,20 @@ gen_tunable(passenger_can_connect_all, false) | |||
|
|
|||
| ## <desc> | |||
| ## <p> | |||
| ## Determine whether passenger can connect to OpenStack via TCP | |||
Boolean passenger_can_connect_docker allows connections to newly created
docker_port_t which is not yet defined in RHEL7/Fedora. This can be used
when users starts Docker on TCP (defaults to UNIX sockets). IANA assigned
2375 and 2376 ports for http/https communication on 2015-01-09.
Denial:
type=AVC msg=audit(1421352630.245:15331): avc: denied { name_connect } for
pid=4803 comm="ruby" dest=2375 scontext=unconfined_u:system_r:passenger_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
lzap
force-pushed
the
docker-port-8989
branch
from
9618b2c
to
cfde7b4
Compare
|
On IRC you're suggesting there's a problem with docker_port_t, could you please explain what it is? |
|
Sure, I've used our internal list simply because Dan and Mirek are subscribed there. Here it is: Foreman is supported both on RHEL6 and RHEL7. We ship our own policy For version 1.8 there are three services that Foreman application
In RHEL7 this is not a problem as all the ports are already defined, For RHEL6 there is a problem because non of these SELinux ports are
When I was working on moving some rules from foreman-selinux into I can think of the following situation:
I've been discussing this with Mirek from SELinux team already and it For the record, I've asked on the SELinux Fedora list as well: https://lists.fedoraproject.org/pipermail/selinux/2015-February/016591.html |
|
Is this simply because of a possible name conflict? IIRC if the port numbers are also defined that the policies will conflict (e.g. you can't add a new port type that redefines something that's already called something else). So even if we created a custom port type we could still conflict just on the numbers unless we always removed it immediately before the distro is updated (as if that's possible!). |
|
It's actually both: port type declaration and port number assignement. You cannot redefine single one. My idea is to create our own type (ideally in some naming convention like |
Do you mean selinux-policy itself? |
|
Yup, that's what we've talked about on DevConf, let's see on the mailing list. |
|
It appears that core policy does not use semanage to define ports, they hardcode it in the policy itself. I don't want to block this, so my proposal is to merge this as is (let's define our ports) and work with them on better solution long-term. |
Boolean passenger_can_connect_docker allows connections to newly created
docker_port_t which is not yet defined in RHEL7/Fedora. This can be used when
users starts Docker on TCP (defaults to UNIX sockets). IANA assigned 2375 and
2376 ports for http/https communication on 2015-01-09.
Denial:
type=AVC msg=audit(1421352630.245:15331): avc: denied { name_connect } for
pid=4803 comm="ruby" dest=2375 scontext=unconfined_u:system_r:passenger_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
@domcleal - in the patch I propose to have that boolean set to
truebydefault to help non-SELinux aware users.