Michael Thomas wrote:
Daniel J Walsh wrote:
> Joshua Brindle wrote:
>
>> Eh, this is a limitation in the compiler, and a very intentional one
>> at that. Since port ordering is important we chose not to allow them
>> in the module language since a different linking order could result in
>> a different result.
>>
>> Obviously refpolicy's solution to this is to include every port
>> definition in corenetwork which is non-ideal in some ways but we also
>> have semanage support for setting port contexts so I don't know that
>> the module compiler should (or ever will) support this.
>>
> So the solution would be to add code like the following?
>
> gen_requires(`
> attribute port_type;
> ')
>
This gen_requires() generates a syntax error in my .te file. I had to
change it to a simple require():
require {
type port_t;
attribute port_type;
};
Should be gen_require().
> type crossfire_port_t, port_type;
>
> allow crossfire_t crossfire_port_t:udp_socket send_msg;
> allow crossfire_t crossfire_port_t:tcp_socket name_bind;
>
>
>
> And in your install after the policy load
>
> semanage port -a -t crossfire_port_t -p tcp MYPORTNUM
> semanage port -a -t crossfire_port_t -p udp MYPORTNUM
>
I did this, but doesn't seem to fail when it ought to. To test, I
installed the package and then used semanage to change the port
definition for crossfire_port_t:
# semanage port -l | grep crossfire
crossfire_port_t tcp 13327
# semanage port -d -t crossfire_port_t -p tcp 13327
# semanage port -a -t crossfire_port_t -p tcp 13328
# semanage port -l | grep crossfire
crossfire_port_t tcp 13328
But when I start up the service, it is still able to bind to port 13327
with no errors. I can even telnet to that port with no problem. I did
verify that the service is running as user_u:system_r:crossfire_t. I
had expected to see an avc: denied error when the service attempted to
bind to the port. Is there some other step that I missed, or perhaps
something else in my .te file that is giving it permission?
The new policy and package files are available here:
http://www.kobold.org/~wart/fedora/crossfire.te
http://www.kobold.org/~wart/fedora/crossfire.if
http://www.kobold.org/~wart/fedora/crossfire.fc
http://www.kobold.org/~wart/fedora/crossfire.spec
http://www.kobold.org/~wart/fedora/crossfire-1.9.1-1.2.src.rpm
--Mike