[selinux-policy: 2784/3172] Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:07:48 UTC 2010
commit 21fdee9dd56a33723c27045a7bd2eaf6607de7d7
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Jul 19 14:22:44 2010 -0400
Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
We went back and reread the bindreservport code in glibc.
Turns out the range or ports that this will reserve are 512-1024 rather
then 600-1024.
The code actually first tries to reserve a port from 600-1024 and if
they are ALL reserved will try 512-599.
So we need to change corenetwork to reflect this.
Changelog | 1 +
policy/modules/kernel/corenetwork.te.in | 12 ++++++------
policy/modules/kernel/corenetwork.te.m4 | 4 ++--
3 files changed, 9 insertions(+), 8 deletions(-)
---
diff --git a/Changelog b/Changelog
index 7f59676..070488c 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
- Add JIT usage for freshclam.
- Remove ethereal module since the application was renamed to wireshark.
- Remove duplicate/redundant rules, from Russell Coker.
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 8bf66e4..2ecdde8 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,4 +1,4 @@
-policy_module(corenetwork, 1.14.0)
+policy_module(corenetwork, 1.14.1)
########################################
#
@@ -54,7 +54,7 @@ sid port gen_context(system_u:object_r:port_t,s0)
type reserved_port_t, port_type, reserved_port_type;
#
-# hi_reserved_port_t is the type of INET port numbers between 600-1023.
+# hi_reserved_port_t is the type of INET port numbers between 512-1023.
#
type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
@@ -217,10 +217,10 @@ network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
-portcon tcp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
-portcon udp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
-portcon tcp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
-portcon udp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
########################################
#
diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
index 5ef5f78..35fed4f 100644
--- a/policy/modules/kernel/corenetwork.te.m4
+++ b/policy/modules/kernel/corenetwork.te.m4
@@ -77,10 +77,10 @@ type $1_node_t alias node_$1_t, node_type;
declare_nodes($1_node_t,shift($*))
')
-# bindresvport in glibc starts searching for reserved ports at 600
+# bindresvport in glibc starts searching for reserved ports at 512
define(`declare_ports',`dnl
ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type;
-ifelse(eval(range_start($3) >= 600),1,`typeattribute $1 rpc_port_type;',`dnl')
+ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl')
',`dnl')
portcon $2 $3 gen_context(system_u:object_r:$1,$4)
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
More information about the scm-commits
mailing list