[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: package review?



Joshua Brindle wrote:
Daniel J Walsh wrote:
Wart wrote:
Paul Howarth wrote:
Wart wrote:

Daniel J Walsh wrote:

allow crossfire_t port_t:udp_socket send_msg;
allow crossfire_t port_t:tcp_socket name_bind;
You need to define a port for this socket and only allow name_bind to
that port
I know I'm missing something obvious here, but which macro can I use to add this restriction? I saw references to http_port_t and ntp_port_t in corenetwork.if, but didn't see anything that actually defined it to be
port 80 (http) or port 123 (ntp).
policy/modules/kernel/corenetwork.te.in:

...
network_port(ntp, udp,123,s0)
...
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0,
tcp,8009,s0)

Thanks.  This is just what I needed.

I could have sworn that this syntax was working for me earlier today,
but now I keep getting syntax errors on FC5:

+ make -f /usr/share/selinux/devel/Makefile
cat: /selinux/mls: No such file or directory
Compiling targeted  crossfire module
crossfire.te:67:ERROR 'syntax error' at token 'network_port' on line 59707:
## Networking basics (adjust to your needs!)
network_port(crossfire, tcp,13327,s0)
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule: loading policy configuration from tmp/crossfire.tmp
make: *** [tmp/crossfire.mod] Error 1

Is there something else that I need to include to be able to use
network_port()?

This seems to be a bug in Reference policy. You are not allowed to define ports in loadable modules, at least that I can figure.
I am in contact with upstream.  This is a serious bug.

Eh, this is a limitation in the compiler, and a very intentional one at that. Since port ordering is important we chose not to allow them in the module language since a different linking order could result in a different result.

Obviously refpolicy's solution to this is to include every port definition in corenetwork which is non-ideal in some ways but we also have semanage support for setting port contexts so I don't know that the module compiler should (or ever will) support this.
So the solution would be to add code like the following?

gen_requires(`
      attribute port_type;
')

type crossfire_port_t, port_type;

allow crossfire_t crossfire_port_t:udp_socket send_msg;
allow crossfire_t crossfire_port_t:tcp_socket name_bind;



And in your install after the policy load

semanage port -a -t crossfire_port_t -p tcp MYPORTNUM
semanage port -a -t crossfire_port_t -p udp MYPORTNUM


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]