On Wed, 2008-03-05 at 16:47 +0100, selinux@xxxxxx wrote: > > Unfortunately there are 3 forces at work. The first is that for the > > most part, ports should always be labeled, because, for example, port 80 > > is always going to be regarded as the http port. The second is that > > thats not always the case for non well-defined ports (your situation). > > The third is that portcons (the port labeling statements) only work in > > the base module. So, though we want to make a happy medium between the > > first two, we can't overcome the final one within the constraints of the > > current toolchain. > > > > Agree with that. But wouldn't the situation be a little less complicated > if you decide not to define any ports above 1024 in the reference policy? That breaks people that just want to use reference policy. > If you decide to do that, you could create a portcon that allows a single > active module to claim a port above 1024 on a per module basis. A second > module could claim another one, as long as it's not equal to the first > (active) one. > > In this way you create a generic handler for modules that need ports above > 1024 and can create a reference policy with modules with the same ports. > As long as they are not both active, you wouldn't have any problem. If I understand what your suggesting, then I don't see how thats implementable with the current toolchain. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
