package review?

Daniel J Walsh dwalsh at redhat.com
Mon Jul 24 14:37:48 UTC 2006 

Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> Wart wrote:
>>> Paul Howarth wrote:
>>>  
>>>> Wart wrote:
>>>>
>>>>   
>>>>> Daniel J Walsh wrote:
>>>>>
>>>>>     
>>>>>> allow crossfire_t port_t:udp_socket send_msg;
>>>>>> allow crossfire_t port_t:tcp_socket name_bind;
>>>>>> You need to define a port for this socket and only allow 
>>>>>> name_bind to
>>>>>> that port
>>>>>>         
>>>>> I know I'm missing something obvious here, but which macro can I 
>>>>> use to
>>>>> add this restriction?  I saw references to http_port_t and 
>>>>> ntp_port_t in
>>>>> corenetwork.if, but didn't see anything that actually defined it 
>>>>> to be
>>>>> port 80 (http) or port 123 (ntp).
>>>>>       
>>>> policy/modules/kernel/corenetwork.te.in:
>>>>
>>>> ...
>>>> network_port(ntp, udp,123,s0)
>>>> ...
>>>> network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0,
>>>> tcp,8009,s0)
>>>>     
>>>
>>> Thanks.  This is just what I needed.
>>>
>>> I could have sworn that this syntax was working for me earlier today,
>>> but now I keep getting syntax errors on FC5:
>>>
>>> + make -f /usr/share/selinux/devel/Makefile
>>> cat: /selinux/mls: No such file or directory
>>> Compiling targeted  crossfire module
>>> crossfire.te:67:ERROR 'syntax error' at token 'network_port' on line 
>>> 59707:
>>> ## Networking basics (adjust to your needs!)
>>> network_port(crossfire, tcp,13327,s0)
>>> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
>>> /usr/bin/checkmodule:  loading policy configuration from 
>>> tmp/crossfire.tmp
>>> make: *** [tmp/crossfire.mod] Error 1
>>>
>>> Is there something else that I need to include to be able to use
>>> network_port()?
>>>
>>>   
>> This seems to be a bug in Reference policy.  You are not allowed to 
>> define ports in loadable modules, at least that I can figure.
>> I am in contact with upstream.  This is a serious bug.
>
> Eh, this is a limitation in the compiler, and a very intentional one 
> at that. Since port ordering is important we chose not to allow them 
> in the module language since a different linking order could result in 
> a different result.
>
> Obviously refpolicy's solution to this is to include every port 
> definition in corenetwork which is non-ideal in some ways but we also 
> have semanage support for setting port contexts so I don't know that 
> the module compiler should (or ever will) support this.
So the solution would be to add code like the following?

gen_requires(`
       attribute port_type;
')

type crossfire_port_t, port_type;

allow crossfire_t crossfire_port_t:udp_socket send_msg;
allow crossfire_t crossfire_port_t:tcp_socket name_bind;



And in your install after the policy load

semanage port -a -t crossfire_port_t -p tcp MYPORTNUM
semanage port -a -t crossfire_port_t -p udp MYPORTNUM

More information about the fedora-selinux-list mailing list