package review?
Daniel J Walsh
dwalsh at redhat.com
Tue Jul 25 12:40:35 UTC 2006
Michael Thomas wrote:
> Daniel J Walsh wrote:
>
>> Joshua Brindle wrote:
>>
>>> Eh, this is a limitation in the compiler, and a very intentional one
>>> at that. Since port ordering is important we chose not to allow them
>>> in the module language since a different linking order could result in
>>> a different result.
>>>
>>> Obviously refpolicy's solution to this is to include every port
>>> definition in corenetwork which is non-ideal in some ways but we also
>>> have semanage support for setting port contexts so I don't know that
>>> the module compiler should (or ever will) support this.
>>>
>> So the solution would be to add code like the following?
>>
>> gen_requires(`
>> attribute port_type;
>> ')
>>
>
> This gen_requires() generates a syntax error in my .te file. I had to
> change it to a simple require():
>
> require {
> type port_t;
> attribute port_type;
> };
>
>
>
Should be gen_require().
>
>> type crossfire_port_t, port_type;
>>
>> allow crossfire_t crossfire_port_t:udp_socket send_msg;
>> allow crossfire_t crossfire_port_t:tcp_socket name_bind;
>>
>>
>>
>> And in your install after the policy load
>>
>> semanage port -a -t crossfire_port_t -p tcp MYPORTNUM
>> semanage port -a -t crossfire_port_t -p udp MYPORTNUM
>>
>
> I did this, but doesn't seem to fail when it ought to. To test, I
> installed the package and then used semanage to change the port
> definition for crossfire_port_t:
>
> # semanage port -l | grep crossfire
> crossfire_port_t tcp 13327
> # semanage port -d -t crossfire_port_t -p tcp 13327
> # semanage port -a -t crossfire_port_t -p tcp 13328
> # semanage port -l | grep crossfire
> crossfire_port_t tcp 13328
>
> But when I start up the service, it is still able to bind to port 13327
> with no errors. I can even telnet to that port with no problem. I did
> verify that the service is running as user_u:system_r:crossfire_t. I
> had expected to see an avc: denied error when the service attempted to
> bind to the port. Is there some other step that I missed, or perhaps
> something else in my .te file that is giving it permission?
>
> The new policy and package files are available here:
>
> http://www.kobold.org/~wart/fedora/crossfire.te
> http://www.kobold.org/~wart/fedora/crossfire.if
> http://www.kobold.org/~wart/fedora/crossfire.fc
> http://www.kobold.org/~wart/fedora/crossfire.spec
> http://www.kobold.org/~wart/fedora/crossfire-1.9.1-1.2.src.rpm
>
> --Mike
>
More information about the fedora-selinux-list
mailing list