Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

selinux policy prevents proxy through squid port 3128 #162

Closed
gtallan opened this issue Jun 28, 2019 · 3 comments · May be fixed by #265
Closed

selinux policy prevents proxy through squid port 3128 #162

gtallan opened this issue Jun 28, 2019 · 3 comments · May be fixed by #265

Comments

@gtallan
Copy link

gtallan commented Jun 28, 2019
edited
Loading

We have some duo-enabled CentOS 7 systems which are on rfc1918 addresses, and so have to access the api servers through a provided proxy which runs on port 3128 (standard squid port).

However selinux policy prevents duo from connecting to this port so we get an error:
Failsafe Duo login for 'user' from hostname: Couldn't connect to api-82d56263.duosecurity.com: Failed to connect

(This does work if we disable selinux.)

Here is the problem: port 3128 is already defined by policy so it seems impossible to add to the http_cache_port_t list used by duo, nor can I remove that port from the squid_port_t list:

# semanage port -a -t http_cache_port_t -p tcp 3128
ValueError: Port tcp/3128 already defined
# semanage port -d -t squid_port_t -p tcp 3128                                                                                                                                                 
ValueError: Port tcp/3128 is defined in policy, cannot be deleted

Since duo_linux is designed to support connection through a proxy, and squid is a fairly common implementation, maybe it would make sense to add squid_port_t to the set of permitted port lists (in pam_duo/authlogin_duo.te)?

Or perhaps there is another solution?
@vbscott
Copy link
Contributor

vbscott commented Jul 2, 2019

Thank you for your question.
You are correct. You can add squid_port_t to your authlogin_duo.te file and then recompile and reinstall authlogin_duo.te. This will let SELinux know that it can access Duo for 2FA if pam_duo is using a proxy with a squid_port_t port.
In order to add squid_port_t to the permitted port lists you can modify authlogin_duo.te to add squid_port_t to gen_required and to the tunable_policies:

gen_require(`
    type http_cache_port_t;
    type http_port_t;
    type local_login_t;
    type squid_port_t;
    type sshd_t;
    class tcp_socket name_connect;
    ')

tunable_policy(`pam_duo_permit_sshd',`
    allow sshd_t {http_port_t http_cache_port_t squid_port_t}:tcp_socket name_connect;
')

tunable_policy(`pam_duo_permit_local_login',`
    allow local_login_t {http_port_t http_cache_port_t squid_port_t}:tcp_socket name_connect;
')

Afterwords you can run:

sudo make semodule-remove
make semodule
sudo make semodule-install

This will allow SELinux to allow any squid_port_t port, including port 3128, to connect to Duo for 2FA.

@vbscott
Copy link
Contributor

vbscott commented Oct 21, 2019

I am going to close this out. If you have any more questions about this please feel free to reopen this issue.

@vbscott vbscott closed this as completed Oct 21, 2019
dnorthup-ums added a commit to dnorthup-ums/duo_unix that referenced this issue Oct 2, 2023
@dnorthup-ums
SELINUX: Add squid_port_t to the policy tunables
aa522c3 
As Squid is a popular Forward Proxy platform, and security binaries
should be compiled by trusted partners, add use of squid_port_t to the
supplied SELINUX policy object.

Satisfies Issue duosecurity#162
@dnorthup-ums dnorthup-ums mentioned this issue Oct 2, 2023
Open
@dnorthup-ums
Copy link

I have posted a pull request to fix this issue properly. See #265

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

SELINUX: Add squid_port_t to the policy tunables dnorthup-ums/duo_unix
3 participants
@gtallan @vbscott @dnorthup-ums