Setting a port number inside my selinux module file
I'm trying to put together a small selinux module to further my understanding of selinux. I've defined a small daemon-like application type with its own port_type. The following code is a condensed version, replacing my own application type with httpd_t:
module mymodule 1.0;
require {
type httpd_t;
attribute port_type;
class tcp_socket name_bind;
}
#============= my_port_t ==============
type my_port_t, port_type;
allow httpd_t my_port_t:tcp_socket name_bind;
I would now like to put the actual port number(s) for my_port_t into the module (or the generated package). The purpose is to avoid an explicit semanage call like this:
semanage port -a -t my_port_t -p tcp 9011
I know semanage makes the port number permanent, but I'd prefer to have a single file that takes care of everything. This way, distribution of the module to many systems would be much easier.
How can I do this? So far I haven't found a solution. Am I approaching this the wrong way?
Solution 1:
portcon
is the directive for this purpose, but according to the Labeling a port in a loadable policy module article, it's not possible outside the base module. The official SELinux portcon docs say the same ("Module Policy: No").
However, this only applies to the traditional .te
modules. SELinux now also supports CIL (Common Intermediate Language), where it is supported. Supposedly, you need to be on EL 7.3 or later, or Fedora 23 or later.
So in your case, the port definition itself would look like so:
; Declare a my_port_t type
(type my_port_t)
; Assign the type to the object_r role
(roletype object_r my_port_t)
; Assign the right set of attributes to the port
(typeattributeset defined_port_type my_port_t)
(typeattributeset port_type my_port_t)
; Declare tcp:9011 as my_port_t
(portcon tcp 9011 (system_u object_r my_port_t ((s0) (s0))))
This, however, only solves the problem with the port type definition. According to the Fundamental SELinux Concepts, the remainder of the policy would be as simple as:
; Allow httpd_t to bind to my_port_t
(allow httpd_t my_port_t (tcp_socket (name_bind)))
If you want to just add additional ports to an existing port type, it's much simpler:
(portcon tcp 922 (system_u object_r ssh_port_t ((s0)(s0))))
You can save this file as say, foobar-ssh.cil
, then you can install and verify the results like so:
# semodule -i foobar-ssh.cil
# semodule -l | grep foobar
foobar-ssh
# semanage port -l | grep ssh
ssh_port_t tcp 22, 922