On 02.08.2019 01:53, Jayson Hurst wrote:
I am running into an issue using a 2fa binary through a squid proxy.
I am writing the selinux policy for the 2fa binary, but when when I
attempt to access the system via ssh I am seeing the following AVC
type=AVC msg=audit(1564694436.236:1003): avc: denied { name_connect
} for pid=30620 comm="starling" dest=3128
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:squid_port_t:s0 tclass=tcp_socket
permissive=0
The following will fix it for the squid proxy:
corenet_tcp_connect_squid_port(sshd_t)
but what if tomorrow I decide to use a different proxy, that uses a
different port. What is the correct way to set this up so that
regardless of what proxy is being used on whatever port I don't have
to update my policy every time?
No clear solution, but you could use
"sesearch" and "semanage port" to
get further.
sesearch can list all port types to which sshd may connect:
# sesearch -s sshd_t --allow -c tcp_socket -p name_connect
Found 10 semantic av rules:
allow sshd_t pki_ca_port_t : tcp_socket { name_bind name_connect } ;
allow sshd_t port_type : tcp_socket { recv_msg send_msg name_connect } ;
allow sshd_t ldap_port_t : tcp_socket { recv_msg send_msg
name_connect } ;
allow sshd_t dns_port_t : tcp_socket { recv_msg send_msg name_connect } ;
allow sshd_t portmap_port_t : tcp_socket name_connect ;
allow daemon auth_port_t : tcp_socket name_connect ;
allow sshd_t port_t : tcp_socket { name_bind name_connect } ;
allow sshd_t reserved_port_type : tcp_socket name_connect ;
allow sshd_t kerberos_port_t : tcp_socket { recv_msg send_msg
name_connect } ;
allow sshd_t ocsp_port_t : tcp_socket name_connect ;
You can use "semanage port" to assign port numbers to to port types.
The problem here is that no proxy server port types are in the list.
But I think the second rule listed above, mentioning "port_type" allows
sshd to connect to any port type derived from "port_type". Does
semanage port -a -t port_type -p tcp 3128
work? I didn't test it, but it may be worth a try.
Regards
Michael