Bug 1299154

Summary: SELinux booleans to allow httpd access to pgpkeyserver_port_t and sieve_port_t
Product: [Fedora] Fedora Reporter: Anthony Messina <amessina>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-18 13:26:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anthony Messina 2016-01-16 17:46:54 UTC 
When using httpd_can_network_connect=0, Horde (and other web applications) are unable to connect to port 11371 (pgpkeyserver_port_t) or 4190 (sieve_port_t).

I am requesting SELinux booleans to control these behaviors so we can continue using httpd_can_network_connect=0, while enabling GPG key-checking and imap sieve access for web/webmail applications like Horde.
Comment 1 Daniel Walsh 2016-01-18 13:26:07 UTC 
The proper way to do this is not to add booleans but to either change the labels on those ports or write custom policy for these ports.

Something like

semanage port -m -t http_port_t -p tcp 11371

Or 

# grep port_t /var/log/audit/audit.log | audit2allow -M myhttpd
# semodule -i myhttpd.pp


Otherwise we would end up with a boolean for every possible port that apache could be configured to connect to.