TCP server howto
Dominick Grift
domg472 at gmail.com
Sat Feb 28 10:46:38 UTC 2009
On Sat, 2009-02-28 at 00:02 +0100, Jan Kasprzak wrote:
> Hello,
>
> what is a recommended way of allowing a domain to act as a generic TCP
> server. I.e. to create a stream socket, bind(2) it to a single defined
> port with INADDR_ANY, listen(2) on it, accept(2) connections on it,
> and communicate (read/write/send*/recv*) on it.
>
> So far I am using audit2allow, and it has led me to the following
> setup (actual reading/writing not verified yet, more rules would probably
> be needed):
>
> allow $1 hi_reserved_port_t:tcp_socket name_bind;
> allow $1 inaddr_any_node_t:tcp_socket node_bind;
> allow $1 self:capability net_bind_service;
>
> However, I guess hi_reserver_port_t is not a _single_ port. I have
> seen the network_port() macro in corenetwork.if, but using
>
> network_port($1, tcp,654,s0);
>
> gives a syntax error.
>
> Is there any high-level macro for setting up a single port and allowing
> it to be bound, listened, read and written?
>
> [ my system is Fedora 10 with the targeted policy ]
>
> Thanks,
>
> -Yenya
>
I think corenet_reserved_port() is what you are looking for.
something like this:
# Declarations
type my_port_t;
corenet_reserved_port(my_port_t)
# Policy
corenet_all_recvfrom_unlabeled($1)
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_all_ports($1)
corenet_tcp_bind_generic_node($1)
allow $1 my_port_t:tcp_socket name_bind;
#EOF
sudo semanage port -a -t my_port_t -p tcp 40
hth , Dominick
More information about the fedora-selinux-list
mailing list