Ping a Specific Port

Question

Alex Leach

Asked: 2019-11-07 05:49:17 +0800 CST2019-11-07 05:49:17 +0800 CST 2019-11-07 05:49:17 +0800 CST

Opening ports in SELinux: How to give a daemon permission to listen on predefined port type?

772

This is a fairly generic SELinux question, but with a specific example. I'm still fairly new to SELinux, so am regularly fighting with it!

I'd like to know if I can set up a daemon (in this case haproxy) to listen on more ports than its default selinux policy allows. For instance, SMTP and FTP are a couple of services that might make sense to load balance or proxy, but aren't allowed by the default SELinux policy.

There's already a fairly good question and answer describing the ports that haproxy is allowed to listen on: https://unix.stackexchange.com/questions/363878/which-selinux-policies-apply-to-haproxy

What I'd like to do right now is allow haproxy to listen on FTP, and only FTP ports. There are already port types defining typical ports used by FTP:-

#> semanage port -l | grep ftp
ftp_data_port_t                tcp      20
ftp_port_t                     tcp      21, 989, 990
ftp_port_t                     udp      989, 990
tftp_port_t                    udp      69

However, how do I allow haproxy to listen on these ports?

A few suggestions I've seen online, all of which I'm not particularly fond of, for various reasons:-

Put selinux in permissive mode (can't believe this was even suggested)
Allow haproxy to listen on any port setsebool -P haproxy_connect_any 1. This is again a bit too permissive for my liking.
The answer from the above linked question would be to add the ports I'm interested in, on one of the port types haproxy already has access to. OK, so I could add port 21 to the http ports (or commplex ports, etc.), but that seems to defeat the point of ftp_port_t already being defined.
Create a new policy with audit2allow. What I dislike about this personally, is this requires a number of dependencies (okay, not a huge number), and then deploying on multiple load balancers would be a bit cumbersome.

Ideally, I'd just like to know if there's a command available (ideally without having to install anything additional), that gives a process type (in this case haproxy_t) permissions to listen on a specific port type (ftp_port_t). Any suggestions?

1 Answers

Voted

J D · Answer 1 · 2019-11-09T09:02:37+08:00

J D

2019-11-09T09:02:37+08:002019-11-09T09:02:37+08:00

Seems like this example could work semanage port -m -t haproxy_t -p tcp 20 20, 21 etc. Verifying with semanage port -l | grep haproxy shows custom ports included.

1

Opening ports in SELinux: How to give a daemon permission to listen on predefined port type?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?