TCP server howto
Jan Kasprzak
kas at fi.muni.cz
Fri Feb 27 23:02:25 UTC 2009
Hello,
what is a recommended way of allowing a domain to act as a generic TCP
server. I.e. to create a stream socket, bind(2) it to a single defined
port with INADDR_ANY, listen(2) on it, accept(2) connections on it,
and communicate (read/write/send*/recv*) on it.
So far I am using audit2allow, and it has led me to the following
setup (actual reading/writing not verified yet, more rules would probably
be needed):
allow $1 hi_reserved_port_t:tcp_socket name_bind;
allow $1 inaddr_any_node_t:tcp_socket node_bind;
allow $1 self:capability net_bind_service;
However, I guess hi_reserver_port_t is not a _single_ port. I have
seen the network_port() macro in corenetwork.if, but using
network_port($1, tcp,654,s0);
gives a syntax error.
Is there any high-level macro for setting up a single port and allowing
it to be bound, listened, read and written?
[ my system is Fedora 10 with the targeted policy ]
Thanks,
-Yenya
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
>> If you find yourself arguing with Alan Cox, you’re _probably_ wrong. <<
>> --James Morris in "How and Why You Should Become a Kernel Hacker" <<
More information about the fedora-selinux-list
mailing list