[selinux-policy: 2784/3172] Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:07:48 UTC 2010 

commit 21fdee9dd56a33723c27045a7bd2eaf6607de7d7
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Jul 19 14:22:44 2010 -0400

    Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
    
    We went back and reread the bindreservport code in glibc.
    
    Turns out the range or ports that this will reserve are 512-1024 rather
    then 600-1024.
    
    The code actually first tries to reserve a port from 600-1024 and if
    they are ALL reserved will try 512-599.
    
    So we need to change corenetwork to reflect this.

 Changelog                               |    1 +
 policy/modules/kernel/corenetwork.te.in |   12 ++++++------
 policy/modules/kernel/corenetwork.te.m4 |    4 ++--
 3 files changed, 9 insertions(+), 8 deletions(-)
---
diff --git a/Changelog b/Changelog
index 7f59676..070488c 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
 - Add JIT usage for freshclam.
 - Remove ethereal module since the application was renamed to wireshark.
 - Remove duplicate/redundant rules, from Russell Coker.
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 8bf66e4..2ecdde8 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,4 +1,4 @@
-policy_module(corenetwork, 1.14.0)
+policy_module(corenetwork, 1.14.1)
 
 ########################################
 #
@@ -54,7 +54,7 @@ sid port gen_context(system_u:object_r:port_t,s0)
 type reserved_port_t, port_type, reserved_port_type;
 
 #
-# hi_reserved_port_t is the type of INET port numbers between 600-1023.
+# hi_reserved_port_t is the type of INET port numbers between 512-1023.
 #
 type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
 
@@ -217,10 +217,10 @@ network_port(zope, tcp,8021,s0)
 # Defaults for reserved ports.  Earlier portcon entries take precedence;
 # these entries just cover any remaining reserved ports not otherwise declared.
 
-portcon tcp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
-portcon udp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
-portcon tcp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
-portcon udp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
 
 ########################################
 #
diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
index 5ef5f78..35fed4f 100644
--- a/policy/modules/kernel/corenetwork.te.m4
+++ b/policy/modules/kernel/corenetwork.te.m4
@@ -77,10 +77,10 @@ type $1_node_t alias node_$1_t, node_type;
 declare_nodes($1_node_t,shift($*))
 ')
 
-# bindresvport in glibc starts searching for reserved ports at 600
+# bindresvport in glibc starts searching for reserved ports at 512
 define(`declare_ports',`dnl
 ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type;
-ifelse(eval(range_start($3) >= 600),1,`typeattribute $1 rpc_port_type;',`dnl')
+ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl')
 ',`dnl')
 portcon $2 $3 gen_context(system_u:object_r:$1,$4)
 ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl

More information about the scm-commits mailing list