Configure SELinux to allow all outbound tcp and udp ports

joseph asked:

I have an application that potentially connects to any outbound, remote tcp/udp port. As a result, I want a way to allow all outbound tcp and udp connections.

I understand that you can use a combination of audit2allow and semodule -i for the name_connect denies in the selinx audit log. So far, that is my current workaround. However, it’s not scalable for me run this for each port I encounter in the future. I would like to future proof it. I do not know this list of ports to be access ahead of the application’s installation.

I hope that there is a configuration to open access to all. Can this configuration extend to allow all outbound tcp, udp ports for all applications (above I only requested for a fixed application)?

Worst case, I will enumerate all possible ports in .pp and .te files and install them with semodule -i once.

Example

In this case, my application wanted to connect to 8181. However, I want it to be able to connect to 0

type=AVC msg=audit(1543521403.978:2324): avc:  denied  { name_connect } for  pid=26497 comm="java" dest=8181 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:intermapper_port_t:s0 

tclass=tcp_socket

audit2allow generated:

module joseph-module 1.0;

require {
    type tomcat_t;
    type intermapper_port_t;
    class tcp_socket name_connect;
}

#============= tomcat_t ==============
allow tomcat_t intermapper_port_t:tcp_socket name_connect;

My answer:


Browsing through the existing SELinux policies, I see that there is a boolean that allows Apache to make outgoing connections to any TCP port. It looks like this:

[[email protected] ~]# sesearch -s httpd_t -A -p name_connect -b httpd_can_network_connect
allow httpd_t port_type:tcp_socket name_connect; [ httpd_can_network_connect ]:True

I am sure you could adapt this, something like:

allow tomcat_t port_type:tcp_socket name_connect;

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.