On Mon, 2009-03-02 at 16:34 +0100, Jan Kasprzak wrote: > Dominick Grift wrote: > : I think corenet_reserved_port() is what you are looking for. > : > Thanks for the hint. It is _almost_ exactly as you wrote, > except: > > : # Declarations > : > : type my_port_t; > : corenet_reserved_port(my_port_t) > : > : # Policy > : > : corenet_all_recvfrom_unlabeled($1) > : corenet_all_recvfrom_netlabel($1) > : corenet_tcp_sendrecv_generic_if($1) > : corenet_tcp_sendrecv_generic_node($1) > : corenet_tcp_sendrecv_all_ports($1) > - corenet_tcp_bind_generic_node($1) > + corenet_tcp_bind_inadrr_any_node($1) > > : allow $1 my_port_t:tcp_socket name_bind; > > + allow $1 self:capability net_bind_service; > + allow $1 self:tcp_socket create_stream_socket_perms; > > : #EOF > : > : sudo semanage port -a -t my_port_t -p tcp 40 > > I would however like to have a really-high-level macro (or two) > to do the above - I guess this is what many users would like to do > - saying "this context belongs to my port", and "this domain can run > a TCP server on this port". The similar way how the files_pid_file() > and files_pid_filetrans() macros allow for the > "I want to have my own PID file in /var/run" case. > > Would it be acceptable to submit this as a patch for inclusion > in the upstream policy? My example of declaring a port would not be acceptable upstream. If you want your policy upstream then you would have to declare your port in the corenetwork.te.in file that is in the kernel section of the policy source. If you add a declaration there, then interfaces will be generated that you can use, when you build the source. For example: network_port(myport, tcp,40,s0) would create interfaces like: corenet_tcp_bind_myport_port() that you can use hth , Dominick > > I would like to have other things included upstream as well - for > example, now I have a policy bits for Perl: file contexts for > /usr/bin/perl* and /usr/lib{,64}/perl5/*, and an interface macro for saying > "this domain can run Perl scripts". > > Thanks, > > -Yenya > -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list