package review?

Michael Thomas wart at kobold.org
Tue Jul 25 21:24:28 UTC 2006 

Paul Howarth wrote:
> On Mon, 2006-07-24 at 17:01 -0700, Michael Thomas wrote:
> 
>>Daniel J Walsh wrote:
>>>And in your install after the policy load
>>>
>>>semanage port -a -t crossfire_port_t -p tcp MYPORTNUM
>>>semanage port -a -t crossfire_port_t -p udp MYPORTNUM
>>
>>I did this, but doesn't seem to fail when it ought to.  To test, I
>>installed the package and then used semanage to change the port
>>definition for crossfire_port_t:
>>
>># semanage port -l | grep crossfire
>>crossfire_port_t               tcp      13327
>># semanage port -d -t crossfire_port_t -p tcp 13327
>># semanage port -a -t crossfire_port_t -p tcp 13328
>># semanage port -l | grep crossfire
>>crossfire_port_t               tcp      13328
>>
>>But when I start up the service, it is still able to bind to port 13327
>>with no errors.  I can even telnet to that port with no problem.  I did
>>verify that the service is running as user_u:system_r:crossfire_t.  I
>>had expected to see an avc: denied error when the service attempted to
>>bind to the port.  Is there some other step that I missed, or perhaps
>>something else in my .te file that is giving it permission?
> 
> 
> corenet_tcp_bind_all_ports(crossfire_t)
> corenet_tcp_sendrecv_all_ports(crossfire_t)

I removed corenet_tcp_bind_all_ports(), and that seems to have fixed it.
 But I had to leave corenet_tcp_sendrecv_all_ports, otherwise I would
get avc: denied messages when data was read/written to the socket.

I also tried replacing corenet_tcp_sendrecv_all_ports() with:

allow crossfire_t crossfire_port_t:tcp_socket { name_bind send_msg
recv_msg};

...but it still avc:denied reads/writes.  However, if I designated the
_client_ ports as crossfire_port_t using semanage, the reads/writes
worked.  It appears to me, as odd as it might seem, that the send/recv
port settings apply to the remote host ports, not the local server's
ports.  Can this be right?

--Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3820 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20060725/de85ccf7/attachment.bin>

More information about the fedora-selinux-list mailing list