TCP server howto
Jan Kasprzak
kas at fi.muni.cz
Mon Mar 2 15:34:48 UTC 2009
Dominick Grift wrote:
: I think corenet_reserved_port() is what you are looking for.
:
Thanks for the hint. It is _almost_ exactly as you wrote,
except:
: # Declarations
:
: type my_port_t;
: corenet_reserved_port(my_port_t)
:
: # Policy
:
: corenet_all_recvfrom_unlabeled($1)
: corenet_all_recvfrom_netlabel($1)
: corenet_tcp_sendrecv_generic_if($1)
: corenet_tcp_sendrecv_generic_node($1)
: corenet_tcp_sendrecv_all_ports($1)
- corenet_tcp_bind_generic_node($1)
+ corenet_tcp_bind_inadrr_any_node($1)
: allow $1 my_port_t:tcp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+ allow $1 self:tcp_socket create_stream_socket_perms;
: #EOF
:
: sudo semanage port -a -t my_port_t -p tcp 40
I would however like to have a really-high-level macro (or two)
to do the above - I guess this is what many users would like to do
- saying "this context belongs to my port", and "this domain can run
a TCP server on this port". The similar way how the files_pid_file()
and files_pid_filetrans() macros allow for the
"I want to have my own PID file in /var/run" case.
Would it be acceptable to submit this as a patch for inclusion
in the upstream policy?
I would like to have other things included upstream as well - for
example, now I have a policy bits for Perl: file contexts for
/usr/bin/perl* and /usr/lib{,64}/perl5/*, and an interface macro for saying
"this domain can run Perl scripts".
Thanks,
-Yenya
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
>> If you find yourself arguing with Alan Cox, you’re _probably_ wrong. <<
>> --James Morris in "How and Why You Should Become a Kernel Hacker" <<
More information about the fedora-selinux-list
mailing list