[selinux-policy: 3/4] Make unconfined domains permissive for rawhide Add definition for ephermeral ports

Daniel J Walsh dwalsh at fedoraproject.org
Tue Sep 27 15:17:18 UTC 2011 

commit 24b80bf8d9b955b01c29ead65324ee0c5934b500
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Tue Sep 27 10:16:54 2011 -0400

    Make unconfined domains permissive for rawhide
    Add definition for ephermeral ports

 ephemeral.patch             |   39 +++++++++++++++++++++++++++++++++++++++
 selinux-policy.spec         |   11 +++++++++--
 unconfined_permissive.patch |   14 ++++++++++++++
 3 files changed, 62 insertions(+), 2 deletions(-)
---
diff --git a/ephemeral.patch b/ephemeral.patch
new file mode 100644
index 0000000..849780a
--- /dev/null
+++ b/ephemeral.patch
@@ -0,0 +1,39 @@
+diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
+index 3b5de31..dfd5b61 100644
+--- a/policy/modules/kernel/corenetwork.te.in
++++ b/policy/modules/kernel/corenetwork.te.in
+@@ -66,11 +66,17 @@ type port_t, port_type;
+ sid port gen_context(system_u:object_r:port_t,s0)
+ 
+ #
+-# port_t is the default type of INET port numbers.
++# unreserved_port_t is the default type of port numbers > 1024 and non ephemeral
+ #
+ type unreserved_port_t, port_type, unreserved_port_type;
+ 
+ #
++# ephemeral_port_t is the default type of ephemeral port numbers.
++# cat /proc/sys/net/ipv4/ip_local_port_range 
++#
++type ephemeral_port_t, port_type;
++
++#
+ # reserved_port_t is the type of INET port numbers below 1024.
+ #
+ type reserved_port_t, port_type, reserved_port_type;
+@@ -292,9 +298,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+ portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+ portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+ portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+-portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+-portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+-
++portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
++portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
++portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
++portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
++portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
++portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+ ########################################
+ #
+ # Network nodes
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 29adf53..fc940c3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,12 +17,13 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 34%{?dist}
+Release: 34.1%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
 patch: policy-F16.patch
-#patch1: ephemeral.patch
+patch1: ephemeral.patch
+patch2: unconfined_permissive.patch
 Source1: modules-targeted.conf
 Source2: booleans-targeted.conf
 Source3: Makefile.devel
@@ -236,6 +237,8 @@ Based off of reference policy: Checked out revision  2.20091117
 %prep 
 %setup -n serefpolicy-%{version} -q
 %patch -p1
+%patch1 -p1
+%patch2 -p1
 
 %install
 mkdir selinux_config
@@ -467,6 +470,10 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Sep 26 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-34.1
+- Change unconfined_domains to permissive for Rawhide
+- Add definition for the ephemeral_ports
+
 * Mon Sep 26 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-34
 - Make mta_role() active
 - Allow asterisk to connect to jabber client port
diff --git a/unconfined_permissive.patch b/unconfined_permissive.patch
new file mode 100644
index 0000000..2071487
--- /dev/null
+++ b/unconfined_permissive.patch
@@ -0,0 +1,14 @@
+diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
+index 683497a..6717658 100644
+--- a/policy/modules/system/unconfined.if
++++ b/policy/modules/system/unconfined.if
+@@ -136,7 +136,8 @@ interface(`unconfined_domain',`
+ 		attribute unconfined_services;
+ 	')	
+ 
+-	unconfined_domain_noaudit($1)
++permissive $1;
++#	unconfined_domain_noaudit($1)
+ 
+ 	tunable_policy(`allow_execheap',`
+ 		auditallow $1 self:process execheap;

More information about the scm-commits mailing list