I have an application that potentially connects to any outbound, remote tcp/udp port. As a result, I want a way to allow all outbound tcp and udp connections.
I understand that you can use a combination of audit2allow and semodule -i for the name_connect denies in the selinx audit log. So far, that is my current workaround. However, it's not scalable for me run this for each port I encounter in the future. I would like to future proof it. I do not know this list of ports to be access ahead of the application's installation.
I hope that there is a configuration to open access to all. Can this configuration extend to allow all outbound tcp, udp ports for all applications (above I only requested for a fixed application)?
Worst case, I will enumerate all possible ports in .pp and .te files and install them with semodule -i once.
Example
In this case, my application wanted to connect to 8181. However, I want it to be able to connect to 0
type=AVC msg=audit(1543521403.978:2324): avc: denied { name_connect } for pid=26497 comm="java" dest=8181 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:intermapper_port_t:s0
tclass=tcp_socket
audit2allow generated:
module joseph-module 1.0;
require {
type tomcat_t;
type intermapper_port_t;
class tcp_socket name_connect;
}
#============= tomcat_t ==============
allow tomcat_t intermapper_port_t:tcp_socket name_connect;
Best Answer
Browsing through the existing SELinux policies, I see that there is a boolean that allows Apache to make outgoing connections to any TCP port. It looks like this:
I am sure you could adapt this, something like: