Michael Thomas wrote:
Paul Howarth wrote:
On Mon, 2006-07-24 at 17:01 -0700, Michael Thomas wrote:
Daniel J Walsh wrote:
And in your install after the policy load
semanage port -a -t crossfire_port_t -p tcp MYPORTNUM
semanage port -a -t crossfire_port_t -p udp MYPORTNUM
I did this, but doesn't seem to fail when it ought to. To test, I
installed the package and then used semanage to change the port
definition for crossfire_port_t:
# semanage port -l | grep crossfire
crossfire_port_t tcp 13327
# semanage port -d -t crossfire_port_t -p tcp 13327
# semanage port -a -t crossfire_port_t -p tcp 13328
# semanage port -l | grep crossfire
crossfire_port_t tcp 13328
But when I start up the service, it is still able to bind to port 13327
with no errors. I can even telnet to that port with no problem. I did
verify that the service is running as user_u:system_r:crossfire_t. I
had expected to see an avc: denied error when the service attempted to
bind to the port. Is there some other step that I missed, or perhaps
something else in my .te file that is giving it permission?
corenet_tcp_bind_all_ports(crossfire_t)
corenet_tcp_sendrecv_all_ports(crossfire_t)
I removed corenet_tcp_bind_all_ports(), and that seems to have fixed it.
But I had to leave corenet_tcp_sendrecv_all_ports, otherwise I would
get avc: denied messages when data was read/written to the socket.
I also tried replacing corenet_tcp_sendrecv_all_ports() with:
allow crossfire_t crossfire_port_t:tcp_socket { name_bind send_msg
recv_msg};
...but it still avc:denied reads/writes. However, if I designated the
_client_ ports as crossfire_port_t using semanage, the reads/writes
worked. It appears to me, as odd as it might seem, that the send/recv
port settings apply to the remote host ports, not the local server's
ports. Can this be right?
The use of corenet_tcp_sendrecv_all_ports is widespread in the reference
policy, with only a few examples of anything more specific, such as:
corenet_tcp_sendrecv_amavisd_recv_port(amavis_t)
corenet_tcp_sendrecv_amavisd_send_port(amavis_t)
So you're probably OK with corenet_tcp_sendrecv_all_ports(crossfire_t)
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
