Bug 1299154 - SELinux booleans to allow httpd access to pgpkeyserver_port_t and sieve_port_t
Summary: SELinux booleans to allow httpd access to pgpkeyserver_port_t and sieve_port_t
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 23
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-16 17:46 UTC by Anthony Messina
Modified: 2016-01-18 13:26 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-01-18 13:26:07 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Anthony Messina 2016-01-16 17:46:54 UTC
When using httpd_can_network_connect=0, Horde (and other web applications) are unable to connect to port 11371 (pgpkeyserver_port_t) or 4190 (sieve_port_t).

I am requesting SELinux booleans to control these behaviors so we can continue using httpd_can_network_connect=0, while enabling GPG key-checking and imap sieve access for web/webmail applications like Horde.

Comment 1 Daniel Walsh 2016-01-18 13:26:07 UTC
The proper way to do this is not to add booleans but to either change the labels on those ports or write custom policy for these ports.

Something like

semanage port -m -t http_port_t -p tcp 11371

Or 

# grep port_t /var/log/audit/audit.log | audit2allow -M myhttpd
# semodule -i myhttpd.pp


Otherwise we would end up with a boolean for every possible port that apache could be configured to connect to.


Note You need to log in before you can comment on or make changes to this bug.