Questions about network_macros [ was: Re: more ptal_t (strict) ]

Ivan Gyurdiev ivg2 at
Sun May 29 20:26:20 UTC 2005

> +can_network_tcp(ptal_t, self)

Can someone clarify how networking rules are supposed to work.

1) There is poor documentation on all network macros - they all
take 2 or 3 arguments, and only one is documented.

2) There is optional socket type and port type. Looking at policy,
those don't seem to be used very often. Is that a bad thing?

3) Then there's name_connect and name_bind.
Why are those not incorporated in any network macros,
but at the same time you have the ability to specify a port type
in base_can_network. 

Basically I've been writing:

allow domain specific_port:tcp_socket/udp_socket name_connect;

allow domain specific_port:tcp_socket/udp_socket name_bind;

Now this seems wrong - what's are the proper rules?
It seems to me that name_bind and name_connect should be integrated
w/ network_macros, and I should specify a port/socket_type on network 
macros that I invoke.

Then there wouldn't be need for special purpose name_connect macros
like can_resolve, can_ldap...

can_network_client_tcp($1, `ldap_port_t')
allow $1 ldap_port_t:tcp_socket name_connect;

Why does slapd.te have to be present to name_connect to a ldap port?
This seems wrong... I need to connect to ldap from evolution.
The ldap port is not defined in slapd.te.

> +allow ptal_t port_t:tcp_socket name_bind;

This lets it bind to any port... why not a specific one?

Ivan Gyurdiev <ivg2 at>
Cornell University

More information about the fedora-selinux-list mailing list