On Wed, 2006-03-08 at 20:41 +0100, Dawid Gajownik wrote:
Dnia 03/08/2006 07:11 PM, Użytkownik Stephen Smalley napisał:
> Needs to go in net_contexts, and put before the catchall cases for
> reserved_port_t.
Thanks, it works but I wanted to avoid modifying this file. Does that
mean that I will need to edit it after every
selinux-policy-targetes-sources update? (I can use ftp port > 1023 so
this entry wouldn't need to be placed before reserved_port_t)
I think so. One of the motivations for semanage in FC5.
refpolicy also makes an improvement in this area even in the source
policy situation IIUC, by allowing you to scatter portcon and similar
statements throughout the policy source files and have the build process
extract them for final processing.
Yes, it's more user friendly :D I've just tested it on my
rawhide box.
semanage man page sucks a bit (no examples), so it took me few minutes
to construct this command:
semanage port -a -t ftp_port_t -p tcp 7777
Actually, it was unnecessary on FC5 ;-) It seems that SELinux policy
does not block vsftpd from binding to other ports (or my system is
broken?). I'm using selinux-policy-targeted-2.2.23-6 it if makes any
differance.
Policy (both FC4 and FC5) appear to allow ftpd to bind to generic ports
(port_t) outside of the reserved range plus the ftp data port and the
ftp service port. Did you mean 777 or 7777? One would be mapped to
reserved_port_t, the other to port_t.
I had to modify http_port_t to allow Apache to work on 81 port,
though...
--
Stephen Smalley
National Security Agency