Daniel J Walsh wrote:
Joshua Brindle wrote:
> Eh, this is a limitation in the compiler, and a very intentional one
> at that. Since port ordering is important we chose not to allow them
> in the module language since a different linking order could result in
> a different result.
>
> Obviously refpolicy's solution to this is to include every port
> definition in corenetwork which is non-ideal in some ways but we also
> have semanage support for setting port contexts so I don't know that
> the module compiler should (or ever will) support this.
So the solution would be to add code like the following?
gen_requires(`
attribute port_type;
')
This gen_requires() generates a syntax error in my .te file. I had to
change it to a simple require():
require {
type port_t;
attribute port_type;
};
type crossfire_port_t, port_type;
allow crossfire_t crossfire_port_t:udp_socket send_msg;
allow crossfire_t crossfire_port_t:tcp_socket name_bind;
And in your install after the policy load
semanage port -a -t crossfire_port_t -p tcp MYPORTNUM
semanage port -a -t crossfire_port_t -p udp MYPORTNUM
I did this, but doesn't seem to fail when it ought to. To test, I
installed the package and then used semanage to change the port
definition for crossfire_port_t:
# semanage port -l | grep crossfire
crossfire_port_t tcp 13327
# semanage port -d -t crossfire_port_t -p tcp 13327
# semanage port -a -t crossfire_port_t -p tcp 13328
# semanage port -l | grep crossfire
crossfire_port_t tcp 13328
But when I start up the service, it is still able to bind to port 13327
with no errors. I can even telnet to that port with no problem. I did
verify that the service is running as user_u:system_r:crossfire_t. I
had expected to see an avc: denied error when the service attempted to
bind to the port. Is there some other step that I missed, or perhaps
something else in my .te file that is giving it permission?
The new policy and package files are available here:
http://www.kobold.org/~wart/fedora/crossfire.te
http://www.kobold.org/~wart/fedora/crossfire.if
http://www.kobold.org/~wart/fedora/crossfire.fc
http://www.kobold.org/~wart/fedora/crossfire.spec
http://www.kobold.org/~wart/fedora/crossfire-1.9.1-1.2.src.rpm
--Mike