List Info

Thread: SELinux module to allow a single network port?
SELinux module to allow a single network port?
country flaguser name
United States		 2008-02-15 10:20:22 
I have done some minor SELinux customizations with a module,
and now I'm
trying to do something a little more complicated.

I want to allow a CGI to do a "whois" lookup.  It
is a perl script that
is attempting to open a TCP socket to port 43.  I ran
audit2allow, but I
think the generated rule allows CGIs to open outbound
sockets to any
port.  I'd rather just allow TCP to port 43.

I don't see a defined whois port type, and I don't know
quite how to
define it myself in a module.

Help?

-- 
Chris Adams <cmadamshiwaay.net>
Systems and Network Administrator - HiWAAY Internet
Services
I don't speak for anybody but myself - that's enough
trouble.

_______________________________________________
rhelv5-list mailing list
rhelv5-listredhat.com
h
ttps://www.redhat.com/mailman/listinfo/rhelv5-list
Re: SELinux module to allow a single network port?
user name
 2008-02-15 10:38:04 
On Friday 15 February 2008 11:20:22 Chris Adams wrote:
> I have done some minor SELinux customizations with a
module, and now I'm
> trying to do something a little more complicated.
>
> I want to allow a CGI to do a "whois" lookup.
 It is a perl script that
> is attempting to open a TCP socket to port 43.  I ran
audit2allow, but I
> think the generated rule allows CGIs to open outbound
sockets to any
> port.  I'd rather just allow TCP to port 43.
>
> I don't see a defined whois port type, and I don't know
quite how to
> define it myself in a module.
>
> Help?

I think Dan would be happy to help you with this if you
repost on 
fedora-selinux-list. He and others answer any (fedora or
RHEL) selinux 
question on that list.

Thanks,
-Steve

_______________________________________________
rhelv5-list mailing list
rhelv5-listredhat.com
h
ttps://www.redhat.com/mailman/listinfo/rhelv5-list
Re: SELinux module to allow a single network port?
country flaguser name
United States		 2008-02-15 11:03:52 
Once upon a time, Steve Grubb <sgrubbredhat.com> said:
> I think Dan would be happy to help you with this if you
repost on 
> fedora-selinux-list. He and others answer any (fedora
or RHEL) selinux 
> question on that list.

Thanks, I've subscribed and posted over there.  I didn't
realize there
was a dedicated SELinux list.
-- 
Chris Adams <cmadamshiwaay.net>
Systems and Network Administrator - HiWAAY Internet
Services
I don't speak for anybody but myself - that's enough
trouble.

_______________________________________________
rhelv5-list mailing list
rhelv5-listredhat.com
h
ttps://www.redhat.com/mailman/listinfo/rhelv5-list
[1-3]

about | contact  Other archives ( Real Estate discussion Medical topics )