LinuxQuestions.org
Review your favorite Linux distribution.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Hardware > Linux - Embedded & Single-board computer
Reload this Page SELinux: allow socat to run on unrestriced_port_t
User Name
Password
Linux - Embedded & Single-board computer This forum is for the discussion of Linux on both embedded devices and single-board computers (such as the Raspberry Pi, BeagleBoard and PandaBoard). Discussions involving Arduino, plug computers and other micro-controller like devices are also welcome.

Notices


Reply
  Search this Thread
Old 02-04-2022, 06:34 AM   #1
JuventusFC
LQ Newbie
 
Registered: Jul 2018
Posts: 15

Rep: Reputation: Disabled
SELinux: allow socat to run on unrestriced_port_t

Hi,

I'm working on an embedded distro with SELinux.

I am having this issue:

Code:
root@unknown7:~# socat openssl-listen:7777,reuseaddr, stdio
2022/02/03 13:44:44 socat[2331] E bind(5, {AF=2 0.0.0.0:7777}, 16): Permission denied
While audi2allow suggest adding this line to policies:

Code:
allow sysadm_t unreserved_port_t:tcp_socket name_bind;
But doing so would make the SELinux policies not compile:

Code:
| Compliling mls sysadm.mod module
| policy/modules/roles/sysadm.te:54:ERROR 'unknown type unreserved_port_t' at token ';' on line 25502:
| allow sysadm_t unreserved_port_t:tcp_socket name_bind;
| allow sysadm_t node_t:tcp_socket node_bind;
| [...]/usr/bin/checkmodule:  error(s) encountered while parsing configuration
| [...]/tmp/sysroots/x86_64-linux/usr/bin/checkmodule:  loading policy configuration from tmp/sysadm.tmp
| make: *** [tmp/sysadm.mod] Error 1
| ERROR: oe_runmake failed
| ERROR: Function failed: do_compile (log file is located at [...]/tmp/work/namc_p2041-fsl-linux/refpolicy-mls/git-r0/temp/log.do_compile.14399)
ERROR: Task 2020 ([...]/sources/meta-selinux/recipes-security/refpolicy/refpolicy-mls_git.bb, do_compile) failed with exit code '1'
NOTE: Tasks Summary: Attempted 3770 tasks of which 3746 didn't need to be rerun and 2 failed.
Waiting for 0 running tasks to finish:

Summary: 2 tasks failed:
  [...]sources/meta-selinux/recipes-security/refpolicy/refpolicy-standard_git.bb, do_compile
  [...]/QorIQ-SDK-V2.0-20160527-yocto/sources/meta-selinux/recipes-security/refpolicy/refpolicy-mls_git.bb, do_compile
Summary: There were 4 ERROR messages shown, returning a non-zero exit code.
So I ask you if:

(1) There is a way to open all ports with SELinux (I know that this is against the principle of having SELinux in first place, but it's for development purposes only).

(2) Is there any way to open only the unrestriced_port_t while keeping the restrinction on the other reserved port_t

(3) If I want to allow accessing only an handful of ports (7777, 7778, etc). How should I declare them in the policies? Should I create new .te, .fc, .if files?

Thank you and Regards,
Luca
 
Old 02-04-2022, 06:41 AM   #2
shruggy
Senior Member
 
Registered: Mar 2020
Posts: 3,677

Rep: Reputation: Disabled
It's unrestricted_port_t in the title of your thread, but unreserved_port_t in the code.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to Relay UDP broadcast using Netcat/Socat ? hikmatrusiwa Linux - Networking 5 08-06-2010 04:14 AM
netcat or socat expert needed wgcampbell Linux - Networking 5 03-01-2010 12:39 PM
socat slow Lorian Linux - Networking 0 05-11-2009 10:30 AM
Debian for mips: installing socat (and related problems) SomeIdiot Linux - Software 3 03-25-2009 01:17 PM
LXer: CLI Magic: socat LXer Syndicated Linux News 0 03-26-2007 08:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Hardware > Linux - Embedded & Single-board computer

All times are GMT -5. The time now is 02:58 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration