package review?

Tue Jul 25 00:01:33 UTC 2006

Daniel J Walsh wrote:
> Joshua Brindle wrote:
>> Eh, this is a limitation in the compiler, and a very intentional one
>> at that. Since port ordering is important we chose not to allow them
>> in the module language since a different linking order could result in
>> a different result.
>>
>> Obviously refpolicy's solution to this is to include every port
>> definition in corenetwork which is non-ideal in some ways but we also
>> have semanage support for setting port contexts so I don't know that
>> the module compiler should (or ever will) support this.
> 
> So the solution would be to add code like the following?
> 
> gen_requires(`
>       attribute port_type;
> ')

This gen_requires() generates a syntax error in my .te file.  I had to
change it to a simple require():

require {
    type port_t;
    attribute port_type;
};

> type crossfire_port_t, port_type;
> 
> allow crossfire_t crossfire_port_t:udp_socket send_msg;
> allow crossfire_t crossfire_port_t:tcp_socket name_bind;
> 
> 
> 
> And in your install after the policy load
> 
> semanage port -a -t crossfire_port_t -p tcp MYPORTNUM
> semanage port -a -t crossfire_port_t -p udp MYPORTNUM

I did this, but doesn't seem to fail when it ought to.  To test, I
installed the package and then used semanage to change the port
definition for crossfire_port_t:

# semanage port -l | grep crossfire
crossfire_port_t               tcp      13327
# semanage port -d -t crossfire_port_t -p tcp 13327
# semanage port -a -t crossfire_port_t -p tcp 13328
# semanage port -l | grep crossfire
crossfire_port_t               tcp      13328

But when I start up the service, it is still able to bind to port 13327
with no errors.  I can even telnet to that port with no problem.  I did
verify that the service is running as user_u:system_r:crossfire_t.  I
had expected to see an avc: denied error when the service attempted to
bind to the port.  Is there some other step that I missed, or perhaps
something else in my .te file that is giving it permission?

The new policy and package files are available here:

http://www.kobold.org/~wart/fedora/crossfire.te
http://www.kobold.org/~wart/fedora/crossfire.if
http://www.kobold.org/~wart/fedora/crossfire.fc
http://www.kobold.org/~wart/fedora/crossfire.spec
http://www.kobold.org/~wart/fedora/crossfire-1.9.1-1.2.src.rpm

--Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3820 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20060724/17dfa37d/attachment.bin>