Troels Arvin
2018-04-27 14:23:17 UTC
Hello,
RHEL/CentOS 7.4 was rather disastrous for Tomcat users, because lots of
things which used to work suddenly broke, due to a new SELinux policy for
Tomcat. RHEL 7.5 has fixed most of it, because a number of commits allowed
Tomcat to connect to database systems and other things:
https://github.com/fedora-selinux/selinux-policy-contrib/commit/cf1ac899006bed35c10c08a76adbbf8ce6e68443
https://github.com/fedora-selinux/selinux-policy-contrib/commit/e67f46aec82a897218c879e5c92e6921407b9074
...
But I still have a Tomcat app which has run into SELinux-denials. The app
needs to send mails, so it tries to connect to port 25. I see a number of
ways this could be handled, but I would prefer the following combination:
- adjust the policy, so that by default, Tomcat can allow to
port 25/tcp on the loopback interface
- and add a boolean which allows Tomcat to connect to any port 25/tcp,
maybe something along the lines of
corenet_tcp_loopback_connect_smtp(tomcat_domain)
Before I create a Bugzilla case about this for Fedora/Red Hat, I have some
questions:
- Is it possible to selectively allow an application to connect to
something on the loopback-interface?
- Is the above proposal a good one, or am I overlooking something?
RHEL/CentOS 7.4 was rather disastrous for Tomcat users, because lots of
things which used to work suddenly broke, due to a new SELinux policy for
Tomcat. RHEL 7.5 has fixed most of it, because a number of commits allowed
Tomcat to connect to database systems and other things:
https://github.com/fedora-selinux/selinux-policy-contrib/commit/cf1ac899006bed35c10c08a76adbbf8ce6e68443
https://github.com/fedora-selinux/selinux-policy-contrib/commit/e67f46aec82a897218c879e5c92e6921407b9074
...
But I still have a Tomcat app which has run into SELinux-denials. The app
needs to send mails, so it tries to connect to port 25. I see a number of
ways this could be handled, but I would prefer the following combination:
- adjust the policy, so that by default, Tomcat can allow to
port 25/tcp on the loopback interface
- and add a boolean which allows Tomcat to connect to any port 25/tcp,
maybe something along the lines of
corenet_tcp_loopback_connect_smtp(tomcat_domain)
Before I create a Bugzilla case about this for Fedora/Red Hat, I have some
questions:
- Is it possible to selectively allow an application to connect to
something on the loopback-interface?
- Is the above proposal a good one, or am I overlooking something?
--
Regards,
Troels Arvin
Regards,
Troels Arvin