On Mar 6, 2008, at 8:18 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joe Nall wrote:
Why not just decouple the ports from the application by giving them
names like port8080_t? This would allow multiple policies to be
written
to manage that resource, only one of which should be active at a
time.
I think the real issue is the assumption that only one application
will
own ports like 80, 8080, 443 and 8443.
joe
I think the problem here is 65000 types.
I was not suggesting preassigning all 65k ports by number, although
the auto decl trick used to generate the mls sensitivities could do it
in a few lines, but just to those ports which have many uses in the
real world.
In the current fedora policy, the http related ports are all enumerated
find . -name \*.te -exec grep portcon {} /dev/null \; | grep http
./modules/kernel/corenetwork.te:portcon tcp 3128
gen_context(system_u:object_r:http_cache_port_t,s0)
./modules/kernel/corenetwork.te:portcon udp 3130
gen_context(system_u:object_r:http_cache_port_t,s0)
./modules/kernel/corenetwork.te:portcon tcp 8080
gen_context(system_u:object_r:http_cache_port_t,s0)
./modules/kernel/corenetwork.te:portcon tcp 8118
gen_context(system_u:object_r:http_cache_port_t,s0)
./modules/kernel/corenetwork.te:portcon tcp 80
gen_context(system_u:object_r:http_port_t,s0)
./modules/kernel/corenetwork.te:portcon tcp 443
gen_context(system_u:object_r:http_port_t,s0)
./modules/kernel/corenetwork.te:portcon tcp 488
gen_context(system_u:object_r:http_port_t,s0)
./modules/kernel/corenetwork.te:portcon tcp 8008
gen_context(system_u:object_r:http_port_t,s0)
./modules/kernel/corenetwork.te:portcon tcp 8009
gen_context(system_u:object_r:http_port_t,s0)
./modules/kernel/corenetwork.te:portcon tcp 8443
gen_context(system_u:object_r:http_port_t,s0)
./modules/kernel/corenetwork.te:portcon tcp 5988
gen_context(system_u:object_r:pegasus_http_port_t,s0)
./modules/kernel/corenetwork.te:portcon tcp 5989
gen_context(system_u:object_r:pegasus_https_port_t,s0)
The problem with 443 and 8443 being the same type is that they are
often used by different applications on the same machine (httpd,
tomcat) with different security requirements. 8080 and 8443 are very
often the same application(JBoss, tomcat), but have different port
types.
joe
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
