[refpolicy] TCP server howto

Daniel J Walsh dwalsh at redhat.com
Mon Mar 2 10:58:02 CST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jan Kasprzak wrote:
> Dominick Grift wrote:
> : I think corenet_reserved_port() is what you are looking for.
> : 
> 	Thanks for the hint. It is _almost_ exactly as you wrote,
> except:
> 
> : # Declarations
> : 
> : type my_port_t;
> : corenet_reserved_port(my_port_t)
> : 
> : # Policy
> : 
> : corenet_all_recvfrom_unlabeled($1)
> : corenet_all_recvfrom_netlabel($1)
> : corenet_tcp_sendrecv_generic_if($1)
> : corenet_tcp_sendrecv_generic_node($1)
> : corenet_tcp_sendrecv_all_ports($1)
> - corenet_tcp_bind_generic_node($1)
> + corenet_tcp_bind_inadrr_any_node($1)
> 
> : allow $1 my_port_t:tcp_socket name_bind;
> 
> + allow $1 self:capability net_bind_service;
> + allow $1 self:tcp_socket create_stream_socket_perms;
> 
> : #EOF
> : 
> : sudo semanage port -a -t my_port_t -p tcp 40
> 
> 	I would however like to have a really-high-level macro (or two)
> to do the above - I guess this is what many users would like to do
> - saying "this context belongs to my port", and "this domain can run
> a TCP server on this port". The similar way how the files_pid_file()
> and files_pid_filetrans() macros allow for the
> "I want to have my own PID file in /var/run" case.
> 
> 	Would it be acceptable to submit this as a patch for inclusion
> in the upstream policy?
> 
> 	I would like to have other things included upstream as well - for
> example, now I have a policy bits for Perl: file contexts for
> /usr/bin/perl* and /usr/lib{,64}/perl5/*, and an interface macro for saying
> "this domain can run Perl scripts".  
> 
> 	Thanks,
> 
> -Yenya
> 

Yenya, take this discussion to the refpolicy list

<refpolicy at oss.tresys.com>

Better to discuss it there.  I think having a higher level template for
creating a tcp or udp port would not be a bad idea.  See what upstream
thinks.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmsDzYACgkQrlYvE4MpobNJHwCfZ5YbOsiYpBATkbTZyCqkZWh+
wGUAn1qN1EySr3iW5Pn4TO8aDrhJKZRA
=+xoQ
-----END PGP SIGNATURE-----


More information about the refpolicy mailing list