Bug 1299154 - SELinux booleans to allow httpd access to pgpkeyserver_port_t and sieve_port_t
SELinux booleans to allow httpd access to pgpkeyserver_port_t and sieve_port_t
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
23
Unspecified Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-16 12:46 EST by Anthony Messina
Modified: 2016-01-18 08:26 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-18 08:26:07 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Anthony Messina 2016-01-16 12:46:54 EST
When using httpd_can_network_connect=0, Horde (and other web applications) are unable to connect to port 11371 (pgpkeyserver_port_t) or 4190 (sieve_port_t).

I am requesting SELinux booleans to control these behaviors so we can continue using httpd_can_network_connect=0, while enabling GPG key-checking and imap sieve access for web/webmail applications like Horde.
Comment 1 Daniel Walsh 2016-01-18 08:26:07 EST
The proper way to do this is not to add booleans but to either change the labels on those ports or write custom policy for these ports.

Something like

semanage port -m -t http_port_t -p tcp 11371

Or 

# grep port_t /var/log/audit/audit.log | audit2allow -M myhttpd
# semodule -i myhttpd.pp


Otherwise we would end up with a boolean for every possible port that apache could be configured to connect to.

Note You need to log in before you can comment on or make changes to this bug.