On Sat, 2009-02-28 at 00:02 +0100, Jan Kasprzak wrote: > Hello, > > what is a recommended way of allowing a domain to act as a generic TCP > server. I.e. to create a stream socket, bind(2) it to a single defined > port with INADDR_ANY, listen(2) on it, accept(2) connections on it, > and communicate (read/write/send*/recv*) on it. > > So far I am using audit2allow, and it has led me to the following > setup (actual reading/writing not verified yet, more rules would probably > be needed): > > allow $1 hi_reserved_port_t:tcp_socket name_bind; > allow $1 inaddr_any_node_t:tcp_socket node_bind; > allow $1 self:capability net_bind_service; > > However, I guess hi_reserver_port_t is not a _single_ port. I have > seen the network_port() macro in corenetwork.if, but using > > network_port($1, tcp,654,s0); > > gives a syntax error. > > Is there any high-level macro for setting up a single port and allowing > it to be bound, listened, read and written? > > [ my system is Fedora 10 with the targeted policy ] > > Thanks, > > -Yenya > I think corenet_reserved_port() is what you are looking for. something like this: # Declarations type my_port_t; corenet_reserved_port(my_port_t) # Policy corenet_all_recvfrom_unlabeled($1) corenet_all_recvfrom_netlabel($1) corenet_tcp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_tcp_sendrecv_all_ports($1) corenet_tcp_bind_generic_node($1) allow $1 my_port_t:tcp_socket name_bind; #EOF sudo semanage port -a -t my_port_t -p tcp 40 hth , Dominick -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
