Re: package review?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Michael Thomas wrote:
Daniel J Walsh wrote:
Joshua Brindle wrote:
Eh, this is a limitation in the compiler, and a very intentional one
at that. Since port ordering is important we chose not to allow them
in the module language since a different linking order could result in
a different result.

Obviously refpolicy's solution to this is to include every port
definition in corenetwork which is non-ideal in some ways but we also
have semanage support for setting port contexts so I don't know that
the module compiler should (or ever will) support this.
So the solution would be to add code like the following?

gen_requires(`
      attribute port_type;
')

This gen_requires() generates a syntax error in my .te file.  I had to
change it to a simple require():

require {
    type port_t;
    attribute port_type;
};


Should be gen_require().
type crossfire_port_t, port_type;

allow crossfire_t crossfire_port_t:udp_socket send_msg;
allow crossfire_t crossfire_port_t:tcp_socket name_bind;



And in your install after the policy load

semanage port -a -t crossfire_port_t -p tcp MYPORTNUM
semanage port -a -t crossfire_port_t -p udp MYPORTNUM

I did this, but doesn't seem to fail when it ought to.  To test, I
installed the package and then used semanage to change the port
definition for crossfire_port_t:

# semanage port -l | grep crossfire
crossfire_port_t               tcp      13327
# semanage port -d -t crossfire_port_t -p tcp 13327
# semanage port -a -t crossfire_port_t -p tcp 13328
# semanage port -l | grep crossfire
crossfire_port_t               tcp      13328

But when I start up the service, it is still able to bind to port 13327
with no errors.  I can even telnet to that port with no problem.  I did
verify that the service is running as user_u:system_r:crossfire_t.  I
had expected to see an avc: denied error when the service attempted to
bind to the port.  Is there some other step that I missed, or perhaps
something else in my .te file that is giving it permission?

The new policy and package files are available here:

http://www.kobold.org/~wart/fedora/crossfire.te
http://www.kobold.org/~wart/fedora/crossfire.if
http://www.kobold.org/~wart/fedora/crossfire.fc
http://www.kobold.org/~wart/fedora/crossfire.spec
http://www.kobold.org/~wart/fedora/crossfire-1.9.1-1.2.src.rpm

--Mike

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux