package review?

Paul Howarth paul at city-fan.org
Wed Jul 26 16:04:27 UTC 2006 

Michael Thomas wrote:
> Paul Howarth wrote:
>> On Mon, 2006-07-24 at 17:01 -0700, Michael Thomas wrote:
>>
>>> Daniel J Walsh wrote:
>>>> And in your install after the policy load
>>>>
>>>> semanage port -a -t crossfire_port_t -p tcp MYPORTNUM
>>>> semanage port -a -t crossfire_port_t -p udp MYPORTNUM
>>> I did this, but doesn't seem to fail when it ought to.  To test, I
>>> installed the package and then used semanage to change the port
>>> definition for crossfire_port_t:
>>>
>>> # semanage port -l | grep crossfire
>>> crossfire_port_t               tcp      13327
>>> # semanage port -d -t crossfire_port_t -p tcp 13327
>>> # semanage port -a -t crossfire_port_t -p tcp 13328
>>> # semanage port -l | grep crossfire
>>> crossfire_port_t               tcp      13328
>>>
>>> But when I start up the service, it is still able to bind to port 13327
>>> with no errors.  I can even telnet to that port with no problem.  I did
>>> verify that the service is running as user_u:system_r:crossfire_t.  I
>>> had expected to see an avc: denied error when the service attempted to
>>> bind to the port.  Is there some other step that I missed, or perhaps
>>> something else in my .te file that is giving it permission?
>>
>> corenet_tcp_bind_all_ports(crossfire_t)
>> corenet_tcp_sendrecv_all_ports(crossfire_t)
> 
> I removed corenet_tcp_bind_all_ports(), and that seems to have fixed it.
>  But I had to leave corenet_tcp_sendrecv_all_ports, otherwise I would
> get avc: denied messages when data was read/written to the socket.
> 
> I also tried replacing corenet_tcp_sendrecv_all_ports() with:
> 
> allow crossfire_t crossfire_port_t:tcp_socket { name_bind send_msg
> recv_msg};
> 
> ...but it still avc:denied reads/writes.  However, if I designated the
> _client_ ports as crossfire_port_t using semanage, the reads/writes
> worked.  It appears to me, as odd as it might seem, that the send/recv
> port settings apply to the remote host ports, not the local server's
> ports.  Can this be right?

The use of corenet_tcp_sendrecv_all_ports is widespread in the reference 
policy, with only a few examples of anything more specific, such as:

corenet_tcp_sendrecv_amavisd_recv_port(amavis_t)
corenet_tcp_sendrecv_amavisd_send_port(amavis_t)

So you're probably OK with corenet_tcp_sendrecv_all_ports(crossfire_t)

Paul.

More information about the fedora-selinux-list mailing list