How to allow vsftpd to listen on other ports?
Stephen Smalley
sds at tycho.nsa.gov
Fri Mar 10 14:35:52 UTC 2006
On Thu, 2006-03-09 at 23:44 +0100, Dawid Gajownik wrote:
> I did not know that. I thought that policy blocks binding to any port
> except ftp_port_t. (Yes, I did not read domains/program/ftpd.te :P )
>
> Hmmm... would you be willing to explain me why ftpd is allowed to bind
> to port_t? If it's done on purpose, why 1-1023 ports are so important
> that they cannot be used without policy modification?
It has been a while since I've looked at the specifics of that policy,
but I suspect that ftpd wants to bind to arbitrary unreserved ports for
data connections. Whereas you'd like to keep the reserved port space
clean so that e.g. ftpd doesn't masquerade as some other well-known
service. OTOH, if we are now keeping all well-defined port types
defined in the base policy regardless of the set of policy modules
included (which wasn't originally the case), then we might not need to
concern ourselves with the reserved_port_t fallback. cc'd some other
folks who may have an opinion.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list