package review?

Paul Howarth paul at city-fan.org
Tue Jul 25 06:23:16 UTC 2006


On Mon, 2006-07-24 at 17:01 -0700, Michael Thomas wrote:
> Daniel J Walsh wrote:
> > Joshua Brindle wrote:
> >> Eh, this is a limitation in the compiler, and a very intentional one
> >> at that. Since port ordering is important we chose not to allow them
> >> in the module language since a different linking order could result in
> >> a different result.
> >>
> >> Obviously refpolicy's solution to this is to include every port
> >> definition in corenetwork which is non-ideal in some ways but we also
> >> have semanage support for setting port contexts so I don't know that
> >> the module compiler should (or ever will) support this.
> > 
> > So the solution would be to add code like the following?
> > 
> > gen_requires(`
> >       attribute port_type;
> > ')
> 
> This gen_requires() generates a syntax error in my .te file.  I had to
> change it to a simple require():
> 
> require {
>     type port_t;
>     attribute port_type;
> };
> 
> 
> > type crossfire_port_t, port_type;
> > 
> > allow crossfire_t crossfire_port_t:udp_socket send_msg;
> > allow crossfire_t crossfire_port_t:tcp_socket name_bind;
> > 
> > 
> > 
> > And in your install after the policy load
> > 
> > semanage port -a -t crossfire_port_t -p tcp MYPORTNUM
> > semanage port -a -t crossfire_port_t -p udp MYPORTNUM
> 
> I did this, but doesn't seem to fail when it ought to.  To test, I
> installed the package and then used semanage to change the port
> definition for crossfire_port_t:
> 
> # semanage port -l | grep crossfire
> crossfire_port_t               tcp      13327
> # semanage port -d -t crossfire_port_t -p tcp 13327
> # semanage port -a -t crossfire_port_t -p tcp 13328
> # semanage port -l | grep crossfire
> crossfire_port_t               tcp      13328
> 
> But when I start up the service, it is still able to bind to port 13327
> with no errors.  I can even telnet to that port with no problem.  I did
> verify that the service is running as user_u:system_r:crossfire_t.  I
> had expected to see an avc: denied error when the service attempted to
> bind to the port.  Is there some other step that I missed, or perhaps
> something else in my .te file that is giving it permission?

corenet_tcp_bind_all_ports(crossfire_t)
corenet_tcp_sendrecv_all_ports(crossfire_t)

Paul.




More information about the fedora-selinux-list mailing list