Paul Howarth wrote: > On Mon, 2006-07-24 at 17:01 -0700, Michael Thomas wrote: > >>Daniel J Walsh wrote: >>>And in your install after the policy load >>> >>>semanage port -a -t crossfire_port_t -p tcp MYPORTNUM >>>semanage port -a -t crossfire_port_t -p udp MYPORTNUM >> >>I did this, but doesn't seem to fail when it ought to. To test, I >>installed the package and then used semanage to change the port >>definition for crossfire_port_t: >> >># semanage port -l | grep crossfire >>crossfire_port_t tcp 13327 >># semanage port -d -t crossfire_port_t -p tcp 13327 >># semanage port -a -t crossfire_port_t -p tcp 13328 >># semanage port -l | grep crossfire >>crossfire_port_t tcp 13328 >> >>But when I start up the service, it is still able to bind to port 13327 >>with no errors. I can even telnet to that port with no problem. I did >>verify that the service is running as user_u:system_r:crossfire_t. I >>had expected to see an avc: denied error when the service attempted to >>bind to the port. Is there some other step that I missed, or perhaps >>something else in my .te file that is giving it permission? > > > corenet_tcp_bind_all_ports(crossfire_t) > corenet_tcp_sendrecv_all_ports(crossfire_t) I removed corenet_tcp_bind_all_ports(), and that seems to have fixed it. But I had to leave corenet_tcp_sendrecv_all_ports, otherwise I would get avc: denied messages when data was read/written to the socket. I also tried replacing corenet_tcp_sendrecv_all_ports() with: allow crossfire_t crossfire_port_t:tcp_socket { name_bind send_msg recv_msg}; ...but it still avc:denied reads/writes. However, if I designated the _client_ ports as crossfire_port_t using semanage, the reads/writes worked. It appears to me, as odd as it might seem, that the send/recv port settings apply to the remote host ports, not the local server's ports. Can this be right? --Mike
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list