package review?
Daniel J Walsh
dwalsh at redhat.com
Mon Jul 24 11:18:11 UTC 2006
Wart wrote:
> Paul Howarth wrote:
>
>> Wart wrote:
>>
>>
>>> Daniel J Walsh wrote:
>>>
>>>
>>>> allow crossfire_t port_t:udp_socket send_msg;
>>>> allow crossfire_t port_t:tcp_socket name_bind;
>>>> You need to define a port for this socket and only allow name_bind to
>>>> that port
>>>>
>>> I know I'm missing something obvious here, but which macro can I use to
>>> add this restriction? I saw references to http_port_t and ntp_port_t in
>>> corenetwork.if, but didn't see anything that actually defined it to be
>>> port 80 (http) or port 123 (ntp).
>>>
>> policy/modules/kernel/corenetwork.te.in:
>>
>> ...
>> network_port(ntp, udp,123,s0)
>> ...
>> network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0,
>> tcp,8009,s0)
>>
>
> Thanks. This is just what I needed.
>
> I could have sworn that this syntax was working for me earlier today,
> but now I keep getting syntax errors on FC5:
>
> + make -f /usr/share/selinux/devel/Makefile
> cat: /selinux/mls: No such file or directory
> Compiling targeted crossfire module
> crossfire.te:67:ERROR 'syntax error' at token 'network_port' on line 59707:
> ## Networking basics (adjust to your needs!)
> network_port(crossfire, tcp,13327,s0)
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> /usr/bin/checkmodule: loading policy configuration from tmp/crossfire.tmp
> make: *** [tmp/crossfire.mod] Error 1
>
> Is there something else that I need to include to be able to use
> network_port()?
>
>
This seems to be a bug in Reference policy. You are not allowed to
define ports in loadable modules, at least that I can figure.
I am in contact with upstream. This is a serious bug.
> --Wart
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
More information about the fedora-selinux-list
mailing list