package review?

Joshua Brindle jbrindle at tresys.com
Mon Jul 24 12:08:41 UTC 2006 

Daniel J Walsh wrote:
> Wart wrote:
>> Paul Howarth wrote:
>>  
>>> Wart wrote:
>>>
>>>    
>>>> Daniel J Walsh wrote:
>>>>
>>>>      
>>>>> allow crossfire_t port_t:udp_socket send_msg;
>>>>> allow crossfire_t port_t:tcp_socket name_bind;
>>>>> You need to define a port for this socket and only allow name_bind to
>>>>> that port
>>>>>         
>>>> I know I'm missing something obvious here, but which macro can I 
>>>> use to
>>>> add this restriction?  I saw references to http_port_t and 
>>>> ntp_port_t in
>>>> corenetwork.if, but didn't see anything that actually defined it to be
>>>> port 80 (http) or port 123 (ntp).
>>>>       
>>> policy/modules/kernel/corenetwork.te.in:
>>>
>>> ...
>>> network_port(ntp, udp,123,s0)
>>> ...
>>> network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0,
>>> tcp,8009,s0)
>>>     
>>
>> Thanks.  This is just what I needed.
>>
>> I could have sworn that this syntax was working for me earlier today,
>> but now I keep getting syntax errors on FC5:
>>
>> + make -f /usr/share/selinux/devel/Makefile
>> cat: /selinux/mls: No such file or directory
>> Compiling targeted  crossfire module
>> crossfire.te:67:ERROR 'syntax error' at token 'network_port' on line 
>> 59707:
>> ## Networking basics (adjust to your needs!)
>> network_port(crossfire, tcp,13327,s0)
>> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
>> /usr/bin/checkmodule:  loading policy configuration from 
>> tmp/crossfire.tmp
>> make: *** [tmp/crossfire.mod] Error 1
>>
>> Is there something else that I need to include to be able to use
>> network_port()?
>>
>>   
> This seems to be a bug in Reference policy.  You are not allowed to 
> define ports in loadable modules, at least that I can figure.
> I am in contact with upstream.  This is a serious bug.

Eh, this is a limitation in the compiler, and a very intentional one at 
that. Since port ordering is important we chose not to allow them in the 
module language since a different linking order could result in a 
different result.

Obviously refpolicy's solution to this is to include every port 
definition in corenetwork which is non-ideal in some ways but we also 
have semanage support for setting port contexts so I don't know that the 
module compiler should (or ever will) support this.

More information about the fedora-selinux-list mailing list