On Thu, Dec 01, 2016 at 10:24:21AM +0000, Robert Sharp wrote: > Hi, > > > I've looked at the Gentoo SELinux web pages etc, the SELinux Handbook > and through the Reference Policy and I cannot find the answer to a > simple question. > > I am writing a small policy for my backup system and I want to be able > to a) access a MongoDB running on remote servers, and b) use rsync. I > can see two AVCs relating to my port use and I know how I can fix the > problem from the command line, but surely I should be able to address > this in the policy? I think there is an rsync interface I need to call > (rsync_entry_type(mytype_t)) and I assume this will run rsync in the > right domain? > > Mongo has a policy but the only interface is admin. All I need to do > locally is connect to the port. Can I use "portcon" in a policy to do > this or do I need to do something else? > > Thanks, > > Robert Sharp
What port number is it using? does that port already have a label? if it does then you use the corenet stuff, eg: corenet_tcp_connect_mysqld_port(foo_t) would allow foo_t to connect to these ports: # semanage port -l | grep mysql mysqld_port_t tcp 1186, 3306, 63132-63164 if there is no good label on the port currently, you can define your own with semanage port. or it can be added to the base policy, because of the way pp files work, you cannot do portcon in a module. If there is a port that is missing a label, we can add it to the base in both refpol and gentoos policy. Look at policy/modules/kernel/corenetwork.te.in in the policy for adding a new one. As for rsync, if you want your script to be able to run it without changing domain, you probably want rsync_exec(), if you want to transition to rsync_t, then rsync_domtrans() -- Jason
