From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 21 Apr 2009 16:40:27 -0400
Subject: [refpolicy] add policy for haproxy
In-Reply-To: <20090421201724.GA4270@janfrode.ibm.com>
References: <20090318223522.GA14675@janfrode.ibm.com>
	<1240343395.19211.773.camel@gorn.columbia.tresys.com>
	<20090421201724.GA4270@janfrode.ibm.com>
Message-ID: <1240346427.19211.777.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 2009-04-21 at 22:17 +0200, Jan-Frode Myklebust wrote:
> On Tue, Apr 21, 2009 at 03:49:55PM -0400, Christopher J. PeBenito wrote:
> > * Does it really need to bind and connect to all ports?
> 
> It's a general tcp proxy service, so it might need to bind/connect on
> any port. But one haproxy-installation will typically only need to
> bind/connect to the ports it's proxying for. Do you think maybe we
> should use booleans like:
> 
> 	haproxy_bindconnect_any
> 	haproxy_bindconnect_http (to bind/connect to http_port_t)
> 	haproxy_bindconnect_smtp (to bind/connect to smtp_port_t)
> 	haproxy_bindconnect_pop (to bind/connect to pop_port_t)
> 	haproxy_bindconnect_db (to bind/connect to same as httpd_can_network_connect_db)
> 	...
> 
> Do you have any suggestions for how to achieve this without creating too
> many booleans ?

Is there a reasonable set of common ports that are used? (perhaps what
you have above, http, smtp, pop, postres, mysql)?  If so, just allowing
those unconditionally would be sufficient, and then maybe have one
conditional for binding all ports.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150