package review?

Daniel J Walsh dwalsh at redhat.com
Tue Jul 25 12:40:35 UTC 2006 

Michael Thomas wrote:
> Daniel J Walsh wrote:
>   
>> Joshua Brindle wrote:
>>     
>>> Eh, this is a limitation in the compiler, and a very intentional one
>>> at that. Since port ordering is important we chose not to allow them
>>> in the module language since a different linking order could result in
>>> a different result.
>>>
>>> Obviously refpolicy's solution to this is to include every port
>>> definition in corenetwork which is non-ideal in some ways but we also
>>> have semanage support for setting port contexts so I don't know that
>>> the module compiler should (or ever will) support this.
>>>       
>> So the solution would be to add code like the following?
>>
>> gen_requires(`
>>       attribute port_type;
>> ')
>>     
>
> This gen_requires() generates a syntax error in my .te file.  I had to
> change it to a simple require():
>
> require {
>     type port_t;
>     attribute port_type;
> };
>
>
>   
Should be gen_require(). 
>   
>> type crossfire_port_t, port_type;
>>
>> allow crossfire_t crossfire_port_t:udp_socket send_msg;
>> allow crossfire_t crossfire_port_t:tcp_socket name_bind;
>>
>>
>>
>> And in your install after the policy load
>>
>> semanage port -a -t crossfire_port_t -p tcp MYPORTNUM
>> semanage port -a -t crossfire_port_t -p udp MYPORTNUM
>>     
>
> I did this, but doesn't seem to fail when it ought to.  To test, I
> installed the package and then used semanage to change the port
> definition for crossfire_port_t:
>
> # semanage port -l | grep crossfire
> crossfire_port_t               tcp      13327
> # semanage port -d -t crossfire_port_t -p tcp 13327
> # semanage port -a -t crossfire_port_t -p tcp 13328
> # semanage port -l | grep crossfire
> crossfire_port_t               tcp      13328
>
> But when I start up the service, it is still able to bind to port 13327
> with no errors.  I can even telnet to that port with no problem.  I did
> verify that the service is running as user_u:system_r:crossfire_t.  I
> had expected to see an avc: denied error when the service attempted to
> bind to the port.  Is there some other step that I missed, or perhaps
> something else in my .te file that is giving it permission?
>
> The new policy and package files are available here:
>
> http://www.kobold.org/~wart/fedora/crossfire.te
> http://www.kobold.org/~wart/fedora/crossfire.if
> http://www.kobold.org/~wart/fedora/crossfire.fc
> http://www.kobold.org/~wart/fedora/crossfire.spec
> http://www.kobold.org/~wart/fedora/crossfire-1.9.1-1.2.src.rpm
>
> --Mike
>

More information about the fedora-selinux-list mailing list