Reputation: 61
How to allow a service listening and accepting sockets on a port using custom selinux policy?
I'm implementing a custom selinux policy (targeted) for a more or less typical systemd managed service (prometheus node_exporter). I've utilized "ausearch" in order to get all permissions which the service needs to function.
But when I call "curl localhost:9100/metrics" the response is "connection reset by peer". It turned out that this is caused by a missing permission. In order to get it working I had to add following rule in addition to those from "ausearch":
allow node_exporter_t self:tcp_socket create_stream_socket_perms;
Whole .te file:
policy_module(node_exporter, 1.0.0)
type node_exporter_t;
type node_exporter_exec_t;
init_daemon_domain(node_exporter_t, node_exporter_exec_t)
type node_exporter_unit_t;
systemd_unit_file(node_exporter_unit_t)
allow node_exporter_t self:tcp_socket { accept bind create getattr listen setopt };
### Not working without this rule:
allow node_exporter_t self:tcp_socket create_stream_socket_perms;
###
corenet_tcp_bind_generic_node(node_exporter_t)
corenet_tcp_bind_hplip_port(node_exporter_t)
dev_list_sysfs(node_exporter_t)
dev_read_sysfs(node_exporter_t)
fs_getattr_tmpfs(node_exporter_t)
fs_getattr_xattr_fs(node_exporter_t)
init_read_state(node_exporter_t)
kernel_read_fs_sysctls(node_exporter_t)
kernel_read_net_sysctls(node_exporter_t)
kernel_read_network_state(node_exporter_t)
kernel_read_rpc_sysctls(node_exporter_t)
kernel_read_software_raid_state(node_exporter_t)
kernel_read_system_state(node_exporter_t)
kernel_search_network_sysctl(node_exporter_t)
I haven't found an explanation why I need this additional rule yet. Does someone know whats going on here?
Actually I would assume that these particular rules should be enough...
corenet_tcp_bind_generic_node(node_exporter_t)corenet_tcp_bind_hplip_port(node_exporter_t) **<- port 9100 is labled as hplip**allow
node_exporter_t self:tcp_socket { accept bind create getattr listen setopt };
Upvotes: 2
Views: 453
Answers (1)
Reputation: 61
OK it took me a long time to come across the "dontaudit" feature of selinux.
So in order to get all necessary permissions you can follow this procedure:
# Disable "dontaudit"
semodule -DB
#
# Do your stuff that creates permission violations
#
# Grab needed rules
ausearch -m avc --raw | audit2allow -R
#enable "dontaudit" back again
semodule -B
Upvotes: 2
Related Questions
- Access to docker.socket using SELinux in FCOS
- How to make docker listening to unix and TCP socket under centos with systemd
- SELinux policy definition for Android system service: how to setup?
- create iptables rule per process/service
- AndroidP-SELinux Permission Denied for a new created service
- SELinux Permission Denied for a new framework service in android
- Selinux Denies Starting Service on Android 8
- SELinux Unix Socket permission denied. How to fix?
- /var/run/docker.sock unaccessible in container running on centos 7
- selinux blocks user from listening ports < 32768 (no, it's > 1024)