Best way to manage custom ports in SELinux

rhel6selinux

On RHEL 6.2, we're using httpd on a host as a front-end proxy for Tomcat on another host, and we also have mod_status configured to listen on a non-standard port to provide status info to a monitoring tool. Therefore, we need httpd to 1) establish network connections, and 2) listen on a non-standard port.

The default targeted policy (currently in permissive mode) only allows httpd to listen on a defined list of ports (semanage port -l | grep http_port_t), and won't allow httpd to make outbound network connections. aureport -a shows the AVC denials when httpd tries to bind to the custom status port, and when it tries to connect to the AJP ports on the other host.

I found two solutions, but one seems too permissive, and the other too brittle (i.e. likely to break upon policy upgrade).

"Broad" solution

I used audit2allow to generate a local policy source, then checkmodule to compile it, semodule_package to generate a policy package, and semanage to start enforcing it. I then restarted httpd, and confirmed that no AVC denials were generated. The local policy generated by audit2allow used the following grant:

allow httpd_t port_t:tcp_socket { name_bind name_connect };

which allows httpd to bind to any port (not just those listed in http_port_t), and to connect to any port. The pro of this approach is that its contained in a local policy, and won't get overridden on the next yum update. The con is that it grants more broad permission than is necessary; httpd can bind and connect to any port.

"Narrow" solution

The alternative for binding is to use the following command to add our custom port to the http_port_t list:

semanage port -a -t http_port_t -p tcp (custom-port-number)

I know I can see the list of ports under http_port_t using semanage port -l | grep http_port_t, but I don't know where this list is stored, and don't know if the next yum update with a new policy will overwrite the list.

The alternative for connecting is to use the following command to create a new port list:

semanage port -a -t ajp_port_t -p tcp 9010

and then create a local policy with the following:

allow httpd_t ajp_port_t:tcp_socket { name_connect };

Just like the augmented http_port_t list, I don't know if my new ajp_port_t list will survive installation of a new targeted policy version.

Best Answer

semanage creates new modules which are not under the control of the policy package. When the policy package is upgraded, these modules will remain and will be applied to the new policy when it is loaded.

Related Solutions

SELinux – Limit httpd Outbound Connections by Address and Port

The following SELinux policy will be needed to set this up. NOTE: I assume here that the ajp_port_t type does not actually exist on the system currently.

policy_module(myhttpd, 1.0.0)

gen_require(`
        type httpd_t;
')

type ajp_packet_t;
corenet_packet(ajp_packet_t)

type ajp_port_t;
corenet_port(ajp_port_t)

allow httpd_t ajp_port_t:tcp_socket { client_stream_socket_perms name_connect };
allow httpd_t ajp_port_t:packet { flow_in flow_out forward_in forward_out recv send };

Follow this up by the command

semanage port -a -t ajp_port_t -p tcp 9010

To manage the address, thats somewhat more complicated. And your liable to possibly cause the box to stop responding over the network! So be warned.

For this, you'll need this policy module, it permits all domains to send/recv unlabelled packets. If you dont do this first you can lose network because by default nearly all domains have no permissions to send / recv unlabelled packets!

policy_module(unconfined_packets, 1.0.0)
require {
        attribute domain;
        type unlabeled_t;
}

gen_tunable(allow_unlabeled_packets, `true');

tunable_policy(allow_unlabeled_packets, `
        allow domain unlabeled_t:packet { flow_in flow_out forward_in forward_out recv send };
')

You then must mark the packets inbound and outbound from that host using iptables.

iptables -I INPUT -p tcp --sport 9010 -s <src_addr> -j SECMARK --selctx system_u:object_r:ajp_packet_t
iptables -I OUTPUT -p tcp --dport 9010 -d <dst_addr> -j SECMARK --selctx system_u:object_r:ajp_packet_t
iptables -A INPUT -j CONNSECMARK --restore
iptables -A OUTPUT -j CONNSECMARK --save

Linux – Adding to existing policy in selinux

All the procedure is very well documented in the manpages of audit2allow(1), checkmodule(8) andsemodule(8).

An example workflow would be (all taken from the mentioned manpages):

review local.te and customize as desired


$ cat local.te
  module local 1.0;
       require {
               class file {  getattr open read };
               type myapp_t;
               type etc_t;
        };
       allow myapp_t etc_t:file { getattr open read };

Compile the module


$ checkmodule -M -m -o local.mod local.te

Create the package


$ semodule_package -o local.pp -m local.mod

Load the module into the kernel


$ semodule -i local.pp

Install or replace a non-base policy package.


$ semodule -i httpd.pp

List non-base modules.


$ semodule -l

If your modules are versioned, you might find interesting to use semodule(8) -u switch:


 -u,--upgrade=MODULE_PKG
   upgrade an existing module package, or install if the module does not exist