BlueChi’s SELinux policy¶
BlueChi provides a custom SELinux policy, limiting access of the bluechi-controller
and bluechi-agent
. It can be installed via
dnf install bluechi-selinux
By default, the package allows bluechi-controller
to bind and bluechi-agent
to connect to any port so that changes of the ControllerPort are not being blocked.
Enforce port restrictions¶
In order to allow BlueChi to only use one port, the usage of any needs to be disabled with setsebool:
# Turn off the any policy for bluechi-controller
setsebool -P bluechi_controller_port_bind_any 0
# Turn off the any policy for bluechi-agent
setsebool -P bluechi_agent_port_connect_any 0
Subsequently, the desired port needs to be allowed by using semanage:
# Set the allowed port for bluechi-controller
semanage port -a -t bluechi_port_t -p tcp <port>
# Set the allowed port for bluechi-agent
semanage port -a -t bluechi_agent_port_t -p tcp <port>
Change from enforcing to permissive¶
By default, BlueChi will enforce its SELinux policy. By using semanage the permissive property can be added so that violations are blocked and create only an AVC entry:
# add the permissive property to bluechi-controller
semanage permissive -a bluechi_t
# add the permissive property to bluechi-agent
semanage permissive -a bluechi_agent_t