This is a fairly generic SELinux question, but with a specific example. I'm still fairly new to SELinux, so am regularly fighting with it!
I'd like to know if I can set up a daemon (in this case haproxy) to listen on more ports than its default selinux policy allows. For instance, SMTP and FTP are a couple of services that might make sense to load balance or proxy, but aren't allowed by the default SELinux policy.
There's already a fairly good question and answer describing the ports that haproxy is allowed to listen on: https://unix.stackexchange.com/questions/363878/which-selinux-policies-apply-to-haproxy
What I'd like to do right now is allow haproxy to listen on FTP, and only FTP ports. There are already port types defining typical ports used by FTP:-
#> semanage port -l | grep ftp
ftp_data_port_t tcp 20
ftp_port_t tcp 21, 989, 990
ftp_port_t udp 989, 990
tftp_port_t udp 69
However, how do I allow haproxy to listen on these ports?
A few suggestions I've seen online, all of which I'm not particularly fond of, for various reasons:-
- Put selinux in permissive mode (can't believe this was even suggested)
- Allow haproxy to listen on any port
setsebool -P haproxy_connect_any 1. This is again a bit too permissive for my liking. - The answer from the above linked question would be to add the ports I'm interested in, on one of the port types haproxy already has access to. OK, so I could add port 21 to the http ports (or commplex ports, etc.), but that seems to defeat the point of
ftp_port_talready being defined. - Create a new policy with
audit2allow. What I dislike about this personally, is this requires a number of dependencies (okay, not a huge number), and then deploying on multiple load balancers would be a bit cumbersome.
Ideally, I'd just like to know if there's a command available (ideally without having to install anything additional), that gives a process type (in this case haproxy_t) permissions to listen on a specific port type (ftp_port_t). Any suggestions?
