LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Embedded & Single-board computer (https://www.linuxquestions.org/questions/linux-embedded-and-single-board-computer-78/)
-   -   SELinux: allow socat to run on unrestriced_port_t (https://www.linuxquestions.org/questions/linux-embedded-and-single-board-computer-78/selinux-allow-socat-to-run-on-unrestriced_port_t-4175707455/)

JuventusFC 02-04-2022 06:34 AM
SELinux: allow socat to run on unrestriced_port_t
 
Hi,

I'm working on an embedded distro with SELinux.

I am having this issue:

Code:
root@unknown7:~# socat openssl-listen:7777,reuseaddr, stdio
2022/02/03 13:44:44 socat[2331] E bind(5, {AF=2 0.0.0.0:7777}, 16): Permission denied
While audi2allow suggest adding this line to policies:

Code:
allow sysadm_t unreserved_port_t:tcp_socket name_bind;
But doing so would make the SELinux policies not compile:

Code:
| Compliling mls sysadm.mod module
| policy/modules/roles/sysadm.te:54:ERROR 'unknown type unreserved_port_t' at token ';' on line 25502:
| allow sysadm_t unreserved_port_t:tcp_socket name_bind;
| allow sysadm_t node_t:tcp_socket node_bind;
| [...]/usr/bin/checkmodule:  error(s) encountered while parsing configuration
| [...]/tmp/sysroots/x86_64-linux/usr/bin/checkmodule:  loading policy configuration from tmp/sysadm.tmp
| make: *** [tmp/sysadm.mod] Error 1
| ERROR: oe_runmake failed
| ERROR: Function failed: do_compile (log file is located at [...]/tmp/work/namc_p2041-fsl-linux/refpolicy-mls/git-r0/temp/log.do_compile.14399)
ERROR: Task 2020 ([...]/sources/meta-selinux/recipes-security/refpolicy/refpolicy-mls_git.bb, do_compile) failed with exit code '1'
NOTE: Tasks Summary: Attempted 3770 tasks of which 3746 didn't need to be rerun and 2 failed.
Waiting for 0 running tasks to finish:

Summary: 2 tasks failed:
  [...]sources/meta-selinux/recipes-security/refpolicy/refpolicy-standard_git.bb, do_compile
  [...]/QorIQ-SDK-V2.0-20160527-yocto/sources/meta-selinux/recipes-security/refpolicy/refpolicy-mls_git.bb, do_compile
Summary: There were 4 ERROR messages shown, returning a non-zero exit code.
So I ask you if:

(1) There is a way to open all ports with SELinux (I know that this is against the principle of having SELinux in first place, but it's for development purposes only).

(2) Is there any way to open only the unrestriced_port_t while keeping the restrinction on the other reserved port_t

(3) If I want to allow accessing only an handful of ports (7777, 7778, etc). How should I declare them in the policies? Should I create new .te, .fc, .if files?

Thank you and Regards,
Luca

shruggy 02-04-2022 06:41 AM
It's unrestricted_port_t in the title of your thread, but unreserved_port_t in the code.


All times are GMT -5. The time now is 12:57 PM.