[refpolicy] [PATCH 1/1] Allow NFS daemon to listen on an UDP port
Sven Vermeulen
sven.vermeulen at siphos.be
Tue Aug 16 22:58:59 CDT 2011
On Tue, Aug 16, 2011 at 7:29 PM, Christopher J. PeBenito
<cpebenito at tresys.com> wrote:
> On 8/13/2011 3:11 PM, Sven Vermeulen wrote:
>> To support NFS over UDP, we should allow rpcd_t to listen on a udp_socket.
>
> I'm confused. I don't see any UDP port binding for rpcd_t.
It's pulled in through rpc_domain_template:
rpc.te: rpc_domain_template(rpc)
--> corenet_udp_bind_generic_port($1_t)
To be honest, I'm also confused (but that's due to inexperience) why
listen isn't part of create_socket_perms. If one creates a socket &
binds to it, what cases are there that you don't listen on it? What is
the need for create_stream_socket_perms?
Considering that, the patch might be best within the
rpc_domain_template() template, considering that it currently reads:
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
so the second line might then be best changed to
create_stream_socket_perms. But I'll need to check first if this is
needed for nfsd_t and gssd_t too.
Wkr,
Sven Vermeulen
PS Sorry Christopher for remailing, got the wrong To again. Heh.
More information about the refpolicy
mailing list