Previous Entry Share Next Entry
How do I tell what would be allowed by a boolean?

I received and Email today that asked the following question:

I still fail to understand the difference between  httpd_can_network_connect_db and httpd_can_network_connect. Some people say the former allows connections to known database ports. My question are:

What are these ports? Where are the corresponding policy defined? I found many  .pp files deeply under /etc/selinux, and I feel sorry that they are binary which are almost impossible to interpret, so where can I find the the source files for the compiled policy, and what is the language to define policies?

You could use the semanage command for how the booleans are described.

> semanage boolean -l | grep httpd_can_network_connect
httpd_can_network_connect_db   (off  ,  off)  Allow HTTPD scripts and modules to connect to databases over the network.
httpd_can_network_connect      (off  ,  off)  Allow HTTPD scripts and modules to connect to the network using TCP.

The best answer to this is to look at the sesearch and seinfo tools and on newer (Fedora/RHEL7) systems sepolicy command.  Also look at the man pages that have been generated.

man httpd_selinux

sesearch and seinfo are available in the setools-cmdline package.  sepolicy is in policycoreutils-python package.


sesearch -A -s httpd_t -b httpd_can_network_connect_db -p name_connect
   allow httpd_t postgresql_port_t : tcp_socket { recv_msg send_msg name_connect } ;
   allow httpd_t mssql_port_t : tcp_socket name_connect ;
   allow httpd_t oracle_port_t : tcp_socket name_connect ;
   allow httpd_t mysqld_port_t : tcp_socket { recv_msg send_msg name_connect } ;
   allow httpd_t gds_db_port_t : tcp_socket name_connect ;

The command above reads in the policy and prints out what happens when you enable the httpd_can_network_connect_db boolean.  We further restrict the search to see how it affects the httpd_t, apache, process type with the name_connect access.     sesearch tells us that turning on httpd_can_network_connect_db would allow the httpd_t domain to connect to tcp ports labeled postgresql_port_t, mssql_port_t, oracle_port_t, mysqld_port_t, gds_db_port_t.  You can use seinfo to turn these port types into port definitions. semanage port -l would also work.

> seinfo  --port | grep -e postgresql_port_t -e mysqld_port_t -e oracle_port_t -e gds_db_port_t | grep tcp
    portcon tcp 3050 system_u:object_r:gds_db_port_t:s0
    portcon tcp 1186 system_u:object_r:mysqld_port_t:s0
    portcon tcp 3306 system_u:object_r:mysqld_port_t:s0
    portcon tcp 63132-63164 system_u:object_r:mysqld_port_t:s0
    portcon tcp 1521 system_u:object_r:oracle_port_t:s0
    portcon tcp 2483 system_u:object_r:oracle_port_t:s0
    portcon tcp 2484 system_u:object_r:oracle_port_t:s0
    portcon tcp 5432 system_u:object_r:postgresql_port_t:s0

> sepolicy network -t postgresql_port_t
postgresql_port_t: tcp: 5432


> sesearch -A -s httpd_t -b httpd_can_network_connect -p name_connect
Found 1 semantic av rules:
   allow httpd_t port_type : tcp_socket name_connect ;

The above command shows that httpd_can_network_connect allows httpd_t to connect to all tcp socket types that have the port_type attribute.

> seinfo -aport_type -x | wc -l

Using seinfo above would show you that port_type is the attribute of all port types, meaning that turning on the httpd_can_network_connect boolean, allows the httpd_t domain to connect to ALL tcp network ports.

Bottom Line httpd_can_network_connect_db allows httpd_t to connect to an additional 10 ports while httpd_can_network_connect adds thousands.

  • 1
Many thanks, Dan, for thorough explanation. I followed your instructions and verified in my CentOS 6.4 release, although the output in my box differs from yours a little, I have amlost clear understanding, except a few minor points:

1) say in this rule,

allow httpd_t postgresql_port_t : tcp_socket { recv_msg send_msg name_connect } ;

httpd_selinux(8) says httpd_t type is entered via the httpd_exec_t file type whose label rules can be found in /etc/selinux/targeted/modules/active/file_contexts. And by either seinfo or semanage the postgresql_port_t port type can be verified as tcp/5432.

I read tcp_sockt as resource class and those in curly brackets are permissions, but there is still a minor gap between them and my old understanding of Linux system APIs. How can I resolve the gap?

2) I read the 'allow source_type target_type: resoure_class { permissions }' as kind of policy language syntax. And I recall you mentioned in an old post that it is m4, and Brindle's blog mentioned there will be a new policy language. So where can I find the source of the existing policies, and when will the new language take over?

3) there's a minor mind leap I saw this command

seinfo -aport_type -x | wc -l

where port_type is an attribute. What's an attribute? I guess it is kind of aggregation of types?

PS: I read almost 80 recent posts last night, I wish I have read your blog many years ago.

1. SELinux rules are between types (or attributes). You have a source type httpd_t representing a process type of in SELinux lingo a "domain". And you have a target type, in this case postgresql_port_t. Then as you properly stated you have the class of the target object and the list of permissions you are granting. In SELinux there is no concept of UID or ownership of an object like there is in DAC (Descretionary Access Control == Linux System APIs)

2 Sources for the policy released productes are included in the SRC RPM. Newer policies are stored in git either Fedora which is based off the refpolicy in

3. Attributes as ways of grouping types together so yes thinking of this as a aggregate type of a group. For example all process types have a attribute of "domain". All file types have an attribute of "file_type", and all port types have a attribute of "port_type". These attributes can then be used for writing policy like

allow rpm_t file_type:file manage_file_perms;

  • 1

Log in