-
Title
Starling Proxy configuration in SELINUX environments -
Description
You install and configure Authentication Services and the Starling module to access the internet by means of a proxy service, the HTTP proxy service listens on a TCP port other than 80, 81, 443, 488, 8008, 8009, 8443, 9000
The client system has SELINUX in enforcing mode.
You may experience Starling problems such as:
Service Denial
Starling Prompts not showing via sshd but they do show when performing sudo
-
Cause
On a RHEL/Centos system with SELinux set to "enforcing" a default set of rules are loaded to allow communications between processes. This set of rules will prohibit local processes to connect to local or remote processes not defined in SELinux policies.
In this example a remote proxy service was setup at TCP port 10041 to allow Starling enabled hosts to communicate with the One Identity Cloud Service.
If you try to access the resource and then run:
# ausearch -m AVC,USER_AVC -ts recent
Will provide you with valuable data in case a communication problem exists, with entries such as :
----time->Wed Jul 3 14:21:55 2021type=PROCTITLE msg=audit(1614799315.278:412212): proctitle="/opt/quest/libexec/vas/starling"type=SYSCALL msg=audit(1614799315.278:412212): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=c0003cc34c a2=10 a3=0 items=0 ppid=9747 pid=9810 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="starling" exe="/opt/quest/libexec/vas/starling" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)type=AVC msg=audit(1614799315.278:412212): avc: denied { name_connect } for pid=9810 comm="starling" dest=10041 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0----the important bits are:exe="/opt/quest/libexec/vas/starling # the process being blocked/deniedavc: denied # the actiondest=10041 # the destination port -
Resolution
With this information, you can modify SELINUX policies in order to allow the process to exit the client system and reach the destination proxy.
An example to create a SELINUX policy to reach destination HTTP proxy at port 10041 will be:
# semanage port -a -t http_port_t -p tcp 10041
More information can be found in the RedHat SELINUX manuals.
-
Change Request
267195