TCP server howto

[Dominick Grift]

On Sat, 2009-02-28 at 00:02 +0100, Jan Kasprzak wrote:
> 	Hello,
> 
> what is a recommended way of allowing a domain to act as a generic TCP
> server. I.e. to create a stream socket, bind(2) it to a single defined
> port with INADDR_ANY, listen(2) on it, accept(2) connections on it,
> and communicate (read/write/send*/recv*) on it.
> 
> 	So far I am using audit2allow, and it has led me to the following
> setup (actual reading/writing not verified yet, more rules would probably
> be needed):
> 
> allow $1 hi_reserved_port_t:tcp_socket name_bind;
> allow $1 inaddr_any_node_t:tcp_socket node_bind;
> allow $1 self:capability net_bind_service;
> 
> However, I guess hi_reserver_port_t is not a _single_ port. I have
> seen the network_port() macro in corenetwork.if, but using
> 
> network_port($1, tcp,654,s0);
> 
> gives a syntax error.
> 
> Is there any high-level macro for setting up a single port and allowing
> it to be bound, listened, read and written?
> 
> [ my system is Fedora 10 with the targeted policy ]
> 
> 	Thanks,
> 
> -Yenya
> 

I think corenet_reserved_port() is what you are looking for.

something like this:

# Declarations

type my_port_t;
corenet_reserved_port(my_port_t)

# Policy

corenet_all_recvfrom_unlabeled($1)
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_all_ports($1)
corenet_tcp_bind_generic_node($1)

allow $1 my_port_t:tcp_socket name_bind;

#EOF

sudo semanage port -a -t my_port_t -p tcp 40

hth , Dominick