1299154 – SELinux booleans to allow httpd access to pgpkeyserver_port_t and sieve_port_t

Bug 1299154 - SELinux booleans to allow httpd access to pgpkeyserver_port_t and sieve_port_t

Summary: SELinux booleans to allow httpd access to pgpkeyserver_port_t and sieve_port_t

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	23
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-01-16 17:46 UTC by Anthony Messina
Modified:	2016-01-18 13:26 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2016-01-18 13:26:07 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Anthony Messina 2016-01-16 17:46:54 UTC

When using httpd_can_network_connect=0, Horde (and other web applications) are unable to connect to port 11371 (pgpkeyserver_port_t) or 4190 (sieve_port_t).

I am requesting SELinux booleans to control these behaviors so we can continue using httpd_can_network_connect=0, while enabling GPG key-checking and imap sieve access for web/webmail applications like Horde.

Comment 1 Daniel Walsh 2016-01-18 13:26:07 UTC

The proper way to do this is not to add booleans but to either change the labels on those ports or write custom policy for these ports.

Something like

semanage port -m -t http_port_t -p tcp 11371

Or 

# grep port_t /var/log/audit/audit.log | audit2allow -M myhttpd
# semodule -i myhttpd.pp


Otherwise we would end up with a boolean for every possible port that apache could be configured to connect to.

Note You need to log in before you can comment on or make changes to this bug.