On 03/20/2018 01:49 PM, Richard Haines via Selinux wrote:
Allow setools to interpret SCTP portcon policy statements Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> --- libqpol/policy_define.c | 2 ++ setools/policyrep/netcontext.py | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/libqpol/policy_define.c b/libqpol/policy_define.c index dcc69fc..bffe451 100644 --- a/libqpol/policy_define.c +++ b/libqpol/policy_define.c @@ -4933,6 +4933,8 @@ int define_port_context(unsigned int low, unsigned int high) protocol = IPPROTO_UDP; } else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) { protocol = IPPROTO_DCCP; + } else if ((strcmp(id, "sctp") == 0) || (strcmp(id, "SCTP") == 0)) { + protocol = IPPROTO_SCTP; } else { yyerror2("unrecognized protocol %s", id); goto bad; diff --git a/setools/policyrep/netcontext.py b/setools/policyrep/netcontext.py index c7076d2..1793677 100644 --- a/setools/policyrep/netcontext.py +++ b/setools/policyrep/netcontext.py @@ -17,7 +17,7 @@ # License along with SETools. If not, see # <http://www.gnu.org/licenses/>. # -from socket import AF_INET, AF_INET6, IPPROTO_TCP, IPPROTO_UDP, getprotobyname +from socket import AF_INET, AF_INET6, IPPROTO_TCP, IPPROTO_UDP, IPPROTO_SCTP, getprotobyname from collections import namedtuple from ipaddress import ip_address, ip_network@@ -196,6 +196,7 @@ class PortconProtocol(int, PolicyEnum):tcp = IPPROTO_TCP udp = IPPROTO_UDP dccp = IPPROTO_DCCP + sctp = IPPROTO_SCTPclass Portcon(NetContext):
Thanks for the patch, but I'm reimplementing the SETools policyrep, so I've added the equivalent support already.
-- Chris PeBenito
