> > Unfortunately there are 3 forces at work. The first is that for the > most part, ports should always be labeled, because, for example, port 80 > is always going to be regarded as the http port. The second is that > thats not always the case for non well-defined ports (your situation). > The third is that portcons (the port labeling statements) only work in > the base module. So, though we want to make a happy medium between the > first two, we can't overcome the final one within the constraints of the > current toolchain. > Agree with that. But wouldn't the situation be a little less complicated if you decide not to define any ports above 1024 in the reference policy? If you decide to do that, you could create a portcon that allows a single active module to claim a port above 1024 on a per module basis. A second module could claim another one, as long as it's not equal to the first (active) one. In this way you create a generic handler for modules that need ports above 1024 and can create a reference policy with modules with the same ports. As long as they are not both active, you wouldn't have any problem. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
