Re: what are "normal" ports to bind/connect to?

From: Jan-Frode Myklebust <janfrode#tanso.net>
Date: Wed, 22 Apr 2009 14:27:58 +0200


On 2009-04-22, Jeffrey 'jf' Lim <jfs.world#gmail.com> wrote:
>>
>> 80 obviously
>>
>> 21/23/25/81/8080....
>>
>
> hm... ftp's tricky. If you want to include 21, then you might want to
> consider 20 as well.

Ports in selinux are labled, so to allow web-ports one would allow ports of type "http_port_t" which by default includes 80, 443, 488, 8008, 8009, 8443 on RHEL5. If we define a policy for haproxy that only allow it to bind/connect to http_port_t's, and you want it to connect to other http-ports than these, you can add them to the list of http_port_ts by:

        semanage port -a -t http_port_t -p tcp $portnumber

So, for the list so far I read we need to allow web, telnet, ftp and smtp. Maybe with only web allowed by default, and the others enabled by booleans:

	# allow using http_port_t (80, 443, 488, 8008,..):
	haproxy_bindconnect_http = on
	# allow using ftp_port_t (21) and ftp_data_port_t (20)
	haproxy_bindconnect_ftp = off
	# allow using smtp_port_t (25, 465, 587)
	haproxy_bindconnect_smtp = off
	# allow using pop_port_t (106, 109, 110, 143, 220, 993, 995, 1109)
	haproxy_bindconnect_pop = off
	# allow haproxy to bind and connect to any port
	haproxy_bindconnect_any = off


I think this boolean regime in selinux doesn't scale too well for
general services like haproxy. 	I don't want to pollute it with
too many booleans..

>
>> A clear error on start up and description of how to resolve would be
>> useful I guess, but then I guess haproxy wouldn't know it was being
>> blocked by selinux policy?
>
> nope... Unless there were some kind of a "standard" way to inform an
> application (in which case, of course, the app would have to be
> programmed for that).

Yes, I think it's supposed to be up to the OS to notify the admin here via logs, popups or email.. I always have a

        tail -f /var/log/audit/auditd.log|grep avc

running when I install new services.. Then I immediately see if something is denied.

> -jf (too, ha)

I was considering if two "-jf"'s might be too much, and if I should find another ha-proxying solution since you were here first :-)

  -jf Received on 2009/04/22 14:27

This archive was generated by hypermail 2.2.0 : 2009/04/22 14:30 CEST