[refpolicy] [PATCH 1/1] Allow NFS daemon to listen on an UDP port
Christopher J. PeBenito
cpebenito at tresys.com
Wed Aug 17 07:34:53 CDT 2011
On 8/17/2011 7:50 AM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 08/16/2011 11:58 PM, Sven Vermeulen wrote:
>> On Tue, Aug 16, 2011 at 7:29 PM, Christopher J. PeBenito
>> <cpebenito at tresys.com> wrote:
>>> On 8/13/2011 3:11 PM, Sven Vermeulen wrote:
>>>> To support NFS over UDP, we should allow rpcd_t to listen on a
>>> I'm confused. I don't see any UDP port binding for rpcd_t.
>> It's pulled in through rpc_domain_template:
>> rpc.te: rpc_domain_template(rpc) -->
>> To be honest, I'm also confused (but that's due to inexperience) why
>> listen isn't part of create_socket_perms. If one creates a socket&
>> binds to it, what cases are there that you don't listen on it? What
>> is the need for create_stream_socket_perms?
create_socket_perms is for connectionless sockets, and
create_stream_socket_perms is for connection-oriented sockets (eg TCP
and AF_UNIX/SOCK_STREAM [unix_stream_sockets]).
>> Considering that, the patch might be best within the
>> rpc_domain_template() template, considering that it currently reads:
>> allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t
>> self:udp_socket create_socket_perms;
>> so the second line might then be best changed to
>> create_stream_socket_perms. But I'll need to check first if this is
>> needed for nfsd_t and gssd_t too.
> You can probably dontaudit this call. You should not need to listen to
> udp sockets, you could consider this a bug in the kernel for reporting it.
> Doing a grep through Fedora policy I see
> ./kernel/domain.te: dontaudit domain self:udp_socket listen;
> Meaning we just added a rule to tell the system to ignore these bogus
> AVC messages.
It does sound like a bug, but I'd like to hear from the kernel guys. (cc'd)
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
More information about the refpolicy