I am muddling my way through learning selinux when installing a webapp with
httpd as the webserver running CentOS 7. The app allows the user to send/receive
mail etc but it seems that I have yet to allow access to imap port 993. So far
it seems this is configured through pop_port_t but setsebool
httpd_can_network_connect 1 does not include pop_port_t.
In the audit log I have:
type=AVC msg=audit(1613093671.415:155086): avc:? denied? { name_connect } for?
pid=22431 comm="httpd" dest=993 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket permissive=0
Yet, running the below
sesearch -A -s httpd_t -c tcp_socket -p name_connect -d -C
tells me
ET allow httpd_t pop_port_t : tcp_socket name_connect ; [ httpd_can_sendmail ]
I am obviously missing something. Does anyone know how to enable access to
pop_port_t?
Am 12.02.21 um 04:27 schrieb H:> I am muddling my way through learning selinux when installing a webapp with httpd as the webserver running CentOS 7. The app allows the user to send/receive mail etc but it seems that I have yet to allow access to imap port 993. So far it seems this is configured through pop_port_t but setsebool httpd_can_network_connect 1 does not include pop_port_t. > > In the audit log I have: > > type=AVC msg=audit(1613093671.415:155086): avc:? denied? { name_connect } for? pid=22431 comm="httpd" dest=993 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket permissive=0 > > Yet, running the below > > sesearch -A -s httpd_t -c tcp_socket -p name_connect -d -C > > tells me > > ET allow httpd_t pop_port_t : tcp_socket name_connect ; [ httpd_can_sendmail ] > > I am obviously missing something. Does anyone know how to enable access to pop_port_t? >setsebool -P httpd_can_sendmail on -P > persistent across reboots -- Leon