Re: package review?

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

Michael Thomas wrote:
> Daniel J Walsh wrote:
>   
> > Joshua Brindle wrote:
> >     
> > > Eh, this is a limitation in the compiler, and a very intentional one
> > > at that. Since port ordering is important we chose not to allow them
> > > in the module language since a different linking order could result in
> > > a different result.
> > >
> > > Obviously refpolicy's solution to this is to include every port
> > > definition in corenetwork which is non-ideal in some ways but we also
> > > have semanage support for setting port contexts so I don't know that
> > > the module compiler should (or ever will) support this.
> > >       
> > So the solution would be to add code like the following?
> >
> > gen_requires(`
> >       attribute port_type;
> > ')
> >     
>
> This gen_requires() generates a syntax error in my .te file.  I had to
> change it to a simple require():
>
> require {
>     type port_t;
>     attribute port_type;
> };
>
>
>   
Should be gen_require(). 
>   
> > type crossfire_port_t, port_type;
> >
> > allow crossfire_t crossfire_port_t:udp_socket send_msg;
> > allow crossfire_t crossfire_port_t:tcp_socket name_bind;
> >
> >
> >
> > And in your install after the policy load
> >
> > semanage port -a -t crossfire_port_t -p tcp MYPORTNUM
> > semanage port -a -t crossfire_port_t -p udp MYPORTNUM
> >     
>
> I did this, but doesn't seem to fail when it ought to.  To test, I
> installed the package and then used semanage to change the port
> definition for crossfire_port_t:
>
> # semanage port -l | grep crossfire
> crossfire_port_t               tcp      13327
> # semanage port -d -t crossfire_port_t -p tcp 13327
> # semanage port -a -t crossfire_port_t -p tcp 13328
> # semanage port -l | grep crossfire
> crossfire_port_t               tcp      13328
>
> But when I start up the service, it is still able to bind to port 13327
> with no errors.  I can even telnet to that port with no problem.  I did
> verify that the service is running as user_u:system_r:crossfire_t.  I
> had expected to see an avc: denied error when the service attempted to
> bind to the port.  Is there some other step that I missed, or perhaps
> something else in my .te file that is giving it permission?
>
> The new policy and package files are available here:
>
> http://www.kobold.org/~wart/fedora/crossfire.te
> http://www.kobold.org/~wart/fedora/crossfire.if
> http://www.kobold.org/~wart/fedora/crossfire.fc
> http://www.kobold.org/~wart/fedora/crossfire.spec
> http://www.kobold.org/~wart/fedora/crossfire-1.9.1-1.2.src.rpm
>
> --Mike
>   

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list