pcmoore
commented
7 years ago @wrabcak @mgrepl @rhatdan can any of you remind me of the use case for this? I vaguely remember that you needed this ability to control access to Apache's management API?
Open pcmoore opened 7 years ago
pcmoore
commented
7 years ago @wrabcak @mgrepl @rhatdan can any of you remind me of the use case for this? I vaguely remember that you needed this ability to control access to Apache's management API?
mgrepl
commented
7 years ago I believe we are talking about https://bugzilla.redhat.com/show_bug.cgi?id=1168044.
stephensmalley
commented
7 years ago Seems like a job for secmark; with that, you can already control based on both port and IP address, yes? name_connect is essentially a legacy check predating the introduction of secmark; it is strictly less expressive/flexible. In any event, even if we added support for (IP address, port number) tuples for portcon statements, it sounds like you'd end up allowing this by default anyway because httpd wants to be able to connect to any IP address that it binds, and we can't know that a priori in the default policy.
wrabcak
commented
6 years ago It looks like apache doesn't need httpd_graceful_shutdown anymore. I cannot reproduce it on my Rawhide machine. I'll contact apache developers and ask for more info but, for now We can fix BZ(1168044) by turning this boolean OFF by default.
wrabcak
commented
6 years ago Apache maintainers confirmed that this is no longer needed in Fedora27+. I'll change default value of boolean and @pcmoore I leave decision on you if we close this issue or not.
rhatdan
commented
6 years ago Well even though the primary need for this is gone, I still believe having the ability to control network addresses + ports would be a big improvement. If I could allow confined domains to connect to network ports but only over localhost...
stephensmalley
commented
6 years ago Can already be done using secmark, so maybe we ought to actually use that for once? We have all of that infrastructure sitting around essentially unused except by custom policies.
pcmoore
commented
6 years ago Using secmark is messy, and definitely not as clean as a policy-only approach.
I'm also still of the opinion that port objects should be a addr/proto/port tuple, it is much more consistent with how we networking works.
I'm happy to hear that we've resolved the Apache issue, but I'm in no hurry to close this at the moment.
Gunni
commented
6 years ago This might be related although i have not tracked down the underlying code that causes that message.
At present the SELinux network port objects only include the protocol/port information and not the traditional address/protocol/port information traditionally used to specify a network communication endpoint. This can be problematic for policy writers who wish to differentiate between the same port with different addresses; external networks vs localhost is a common example.